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CSIS Centre for Strategic and International Studies 
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EURIM European Information Society Group 
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FCC Federal Communications Commission 
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HTML Hypertext Mark-up Language 

HTTP Hypertext Transfer Protocol 

ICGI Interagency Committee on Government Information 
ICT Information and Communications Technology 


IDC International Data Corporation 
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IE Microsoft Internet Explorer 

IMT Institute of Management Technology 

Interpol International Criminal Police Organization 

IP Internet Protocol 

ISC Internet System Consortium 

ISP Internet Service Provider 

ITU International Telecommunication Union 

KKO Korkein oikeus (The Supreme Court of Finland) 

KouHo Kouvolan hovioikeus (Court of Appeal Finland (Kouvola)) 
LAN Local Area Network 

MIT Massachusetts Institute of Technology 

NCIS National Criminal Intelligence Service 

NCSA National Cyber Security Alliance 

NII National Information Infrastructure 

NIPC National Infrastructure Protection Centre 

NIST National Institute of Standards and Technology 

NPA National Police Agency 

OAS Organization of American States 

OECD Organization for Economic Cooperation and Development 
PUMA Public Management Service 

REMJA Meeting of Ministers of Justice or of Ministers or Attorneys General of the Americas 
RovHO Rovaniemen hovioikeus (Court of Appeal Finland (Rovaniemi)) 
THO Turun hovioikeus (Court of Appeal Finland (Turku)) 

UBE Unsolicited Bulk E-mail 

UCE Unsolicited Commercial E-mail 

UCITA Uniform Computer Information Transactions Act 

U. K. The United Kingdom 

U.S. The United States 

UN The United Nations 

UNCIJIN United Nations Crime and Justice Information Network 
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URL Universal Resource Locator 
WSIS World Summit on the Information Society 


WWW World Wide Web 
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CHAPTER 1. INTRODUCTION 


1.1 Research background and approach 


The ultimate purpose of the social sciences is to discover a method of making people in 
society stronger and wealthier and making society as a whole more prosperous and secure. 
The future belongs to the strong and the wealthy, simply because there should no longer be 
the weak and the poor. The factors by which people’s welfare is improved are however, 
constantly changing, because the future is a continuing uncertainty. 

Our society is experiencing a continuous transition from a natural physical environment 
to a constructed physical environment and from a natural social environment to a constructed 
social environment (Coleman, 1990). Recent decades have witnessed a golden age in social 
history, previously symbolized by long wars and disasters, but now showing a scene of 
unparalleled development in information and communications technology (ICT)' and related 
material forms of computers and networks. In both academic and popular discourses, 
newly-coined words indicate that the information age has arrived* and an information 


society has emerged.* The emancipation of the Internet from monopolistic control to open 





A note on references: Key notes, particularly those relating to the author’s key lines of argumentation, 
are placed as footnotes. References to books and other material that are to be considered as 
background sources for the dissertation have been placed, in brackets, in the body of the text itself. 

' No unified definition exists for information and communications technology, or information 
technology. However, it is acceptable to define it as a term that “describes the whole range of 
processes for the acquisition, storage, transmission, retrieval and processing of information” (King 
1982, p. 35). It “is the term used to refer to the integrated use of informatics, information and 
communication tools and infrastructure to assist in the dissemination of knowledge” (Franklin 2006, p. 
1). In 1998, the OECD defined ICT industry as “a combination of manufacturing and services 
industries that capture, transmit and display data and information electronically” (OECD 2002b, p4). 

> The term “information age” was coined by Wilson Dizard in the book “The Coming Information 
Age: An Overview of Technology, Economics, and Politics”, Longman, 1982. 

3 Information society is a society in which economic and cultural life is critically dependent on 
information and communications technology. The possible ways of defining information society 
comprise technological, economic, occupational, spatial, cultural and quantitative approaches (Webster 
2001). Roughly speaking, information society is a phase where social life is information dependent, 
information abundant, and information shared. At the World Summit on the Information Society 
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access to the public at the end of the twentieth century brought about a revolutionary epoch 
for human beings (Adamson, p. 37). The transition eliminated primary obstacles to 
information accessibility. That ICT reshapes business, the economy, education, entertainment, 
the media, the military, politics, as well as other social institutions in remarkable ways has 
already become a well-established common viewpoint. Few in international societies deny 
the fact that ICT is beneficial to states, organizations and individuals: it is an influential tool 
of development for the economies, a mechanism offering opportunities to overcome various 
traditional obstacles to development; and a medium increasing individuals’ active 
participation in social affairs and improving their competence in markets. ‘ Reality 
sufficiently justifies the discourse: up to date, the global networks of information systems 
have connected approximately 1.15 billion people (Internetworldstats.com 2007). More than 
one-fourth of them are online Europeans, who have the penetration rate of 39.8 percent (Ibid). 
In the European Union alone, the 255.58 million Internet users represent an average of more 
than half the whole population in these countries (Ibid). 

Information systems are designed to serve people.” Application of the Internet has 
created a focus of attention for an increasing number of individuals, organizations and 
governmental agencies. The networks connect a formerly offline population into an online 


cyberspace,° which is relatively separated from and independent of traditional society. It is 





(WSIS), world leaders declared that an “information society” was a “people-centred, inclusive and 
development-oriented” society, “where everyone can create, access, utilize and share information and 
knowledge, enabling individuals, communities and peoples to achieve their full potential in promoting 
their sustainable development and improving their quality of life, premised on the purposes and 
principles of the Charter of the United Nations and respecting fully and upholding the Universal 
Declaration of Human Rights” (WSIS 2003, Section A, paragraph 1). The information society is 
characterized by being "more interconnected; more interactive; more instantaneous (fast-paced); more 
information rich; more informal; more affordable; and more uncertain." (OECD 1998, p. 13). 

* The Commonwealth, Malta Declaration on Networking the Commonwealth for Development, 
Commonwealth Heads of Government Meeting (CHOGM), 25-27 November 2005. 

> Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the 
Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of 
such Data, Preamble (2). 

° Cyberspace is a term coined by William Gibson in Neuromancer (Gibson, 1984). An a popular 
definition of cyberspace, it includes all of the computers and other digital devices that are connected to 
both internal and external networks and can communicate with each other (Sadowsky and co-workers 
2003, p. 16). In recent years, the prefix “cyber-” has been widely used in both academic works and 
governmental documents. The original meaning of “cyber” means computer (Pickett and co-workers, 
2000). However, this prefix was not broadly used before computer networks became common. In fact, 
the origin of the prefix "cyber" has been traced back to human-machine interconnection (Jones 2003, p. 
112). Therefore, the public understanding of this prefix relates to the meaning of computer networks, 
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considered as a virtual environment where netizens’ live a virtual life, communicating with 
e-mail, chat rooms, instant messenger, and the bulletin-board system. They engage in 
teleworking;* going e-shopping; and are educated partially by means of computer-assisted 
learning,’ taking part in net-based courses; and carrying out e-commerce through electronic 
marketing. '° It is often anticipated that e-government will govern them by means such as 
e-governance.'' This virtual society is, however, still in the imagination or expectation, and 
society is far from splitting into a traditional society and a cyber society. However, at the 
same time, we cannot simply ignore the great influence of projects such as “Europe’s 


Information Society.” !” 


To extend Coleman’s social theory (1990), I would rather say that 
there are signs of a cyber physical environment and of a cyber social environment, which is 
being constructed on information systems and by netizens armed with information. 


Unfortunately, information systems are likely to crash, and likely to cause disputes and 


lawsuits.'? Furthermore, the order of cyberspace, closely associated with the welfare of 





particularly the Internet. In this dissertation, I also use this prefix in terms of computer and computer 
networks, but the emphasis is put on the whole information system rather than simply on the hardware. 
’ Netizen is a term used to indicate citizen in the Internet community, the counterpart of which is a 
citizen in the traditional community. 

According to Daintith (2004, p. 529), when computers and telecommunications are used in remote 
working, usually outside office, the activity is called teleworking. For detailed discussion and 
prospects on the teleworking environment, Shoni, Jackson, Hollmen and Aspnis (eds., 1998). 

’ Computer-based learning is usually termed as e-learning, or CBT (computer-based training) 
(Rosenberg, 2001). 

'° Commerce has been developing from traditional commerce through c-commerce (computerised 
commerce (Royall and Hughes 1990, p. 8), e-commerce to m-commerce. E-commerce is the 
abbreviated form of electronic commerce, referring to commerce using electronic media, usually, the 
Internet (Daintith 2004, p. 173). At present, when people say e-commerce, the general meaning of this 
term is commerce through the Internet. As far as commerce through the mobile network is concerned, 
people utilize the term m-commerce. 

'' According to Bharnagar (2004, p. 21), “the term e-government is sometimes confused with 
e-governance and the two terms are often used interchangeably. E-governance has been defined as the 
process of enabling transactions between concerned groups and the government through multiple 
channels by linking all transaction points, decision points, enforcing/implementation points and 
repositories of data using information and communication technologies, to improve the efficiency, 
transparency, accountability and effectiveness of a government.” 

'? European Commission, Europe’s Information Society-Thematic Portal. Retrieved 15 March 2007, 
from http://ec.europa.eu/information_society/index_en.htm 

'S In KKO:1988:103, a lawsuit was brought about on employee’s holiday compensation miscalculated 
due to the fault of the computer programme. In KKO:2005:3, the issue in dispute was that the 
advocate of a convicted person had sent an appeal against the conviction through an e-mail message 
and within the time limit, but the advocate received an answer in the form of an e-mail message from 
the court, stating that no e-mail massage had ever arrived and so no appeal had been received against 
the conviction within the time limit. 
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citizens, the security of businesses, and the stability of society is, however, becoming 
increasingly significant, due to increased scale of the online population to over one-sixth of 
the inhabitants of the globe. What is problematic in the landscape of the social sciences is that 
many technological loopholes are constantly being exploited with malicious intent, while 
technological opportunities are, at the same time, generating various benefits as well. Hence 
chaos, disorder, social problems, and more severely, crimes pose great threats to the security, 
reliability, and credibility of the information society. 

Cybersecurity has extended its influence into “meat space’, that is, real society, and 
caused widespread concerns among various entities. It has long been recognized as one of the 
issues deserving consideration in normal social life (for example, Aromaa and Laitinen 1994, 
pp. 47-101). As a typical example, the American Computer Science and Telecommunications 
Board of National Research Council (2002, pp. 1-2) has stated that, cybersecurity has always 
been the central concern in a series of their research studies in the past decade. It is also true 
for many other institutions, which invest considerable human resources and _ financial 
resources in their work.'* Cybercrimes,'> criminal offences committed by netizens in 
cyberspace, are new variants of criminal phenomena. This raises many questions as to 
whether the existing legal system has the capability of deterring cybercrimes. 

The development of crime is closely related to social transformation at both the micro 
and the macro levels. Two factors symbolize the severity of this criminality: On the one hand, 
it is growing at a rapid speed; on the other hand, it is a serious problem for both private and 
public sectors (Bequai 1983, p. 3). For the public, everyone faces the threat with same 
acceleration. With the emergence, development, and rampancy of cybercrime, 
cybercriminology, a new discipline, is acquiring an independent position. The studies of 
cybercriminal phenomena, its causes and motivations, and models for the prevention of 
cybercrime, compose the essential outline of cybercriminology. In this dissertation, 


cybercriminal phenomena constitute the corner-stone of the theoretical framework. Definition, 





'* Tt is neither necessary nor possible to give an academically exhaustive list of these institutions. But 
I would like to empirically name a few: the UN, the EU, the CoE, the OAS, the APEC, the ASEAN, 
the OECD, the FBI, the ITU, etc. 

'S Perrin (2005) stated that the term cybercrime was coined in the late 1990s when the G8’s Lyon 
Group used the term to describe criminal phenomena existing in the information and communications 
networks. 
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classification, motivation, and prevention are the primary architectural materials of an 
analytical construction. 

Traditionally, criminology has been composed of a variety of parallel theories in 
explaining criminal phenomena in general and as well as in specific offences. Causal factors 
and deterrence have constantly been the focuses of many different schools in this field. 

Cohen and Felson’s routine-activity theory (1979) provides a trichotomized method in 
reducing causal factors of crime to presence of motivated offenders and potential victims, and 
to the absence of effective guardianship. Broad attention has been paid to the theory in the 
last two decades. Grabosky and co-workers (2000) have applied the routine-activity theory to 
explain the causes of certain theft offences in cyberspace, stating that cybercrime might be 
explained by the combination of three factors: motivation, opportunity and the absence of 
capable guardianship, just like crime in general (See also Grabosky 2000, p. 1). This 
dissertation continues the analysis that Grabosky and co-workers have started, and seeks to 
incorporate the three factors in Cohen and Felson’s theoretical structure (1979) into social 
disorganization theory. 

Social change has both physical and psychological consequences for society and people, 
as well as for control mechanisms. Thus social change theory can well be installed at the 
sublevel of the routine-activity theory to reinforce the latter’s explaining power during rapid 
social transformation. 

Another theory is the social disorganization theory initiated by Thomas and Znaniecki 
(1927) and developed by Cooley (1983). The disorganization of society has broad physical 
and psychological impacts. At the same time, it means the disintegration of the existing 
social-control mechanisms. 

The reason for the incorporation of social change theory into the social disorganization 
theory is that the prevalence of information and communications technology and the 
proliferation of information itself signifies a great social transformation from members of 
society being weakly informed to members of society being more strongly informed. During 
this process, the old setting of previous social structure and relations that facilitated 
information access has been reshaped into a new set of social structures and relations. In the 
sense that the old order was dissolved while the new order has not fully established, there 
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emerges a period during which a new process of social disorganization is occurring. 

Social change not only directly leads to the presence of potential offenders and victims, 
as well as to the ineffectiveness of guardianship, but also leads to social disorganization. 
Furthermore, social disorganization not only happens as a result of social change, but also 
happens because of other factors. Whatever the reasons by which social disorganization 
emerges, it will lead to the triplet factors (motivated offenders, exposure of victims, and 
absence of guardianship) that influence the occurrence of crime. 

By now, the interweaving of social change theory, social disorganization theory and 


routine-activity theory renders a useful explanation of the criminal phenomena on the Internet, 


as Figure | illustrates. 






Information Social Social 


pervasion change disorganization 


Absence of guardianship 











Figure 1 Interrelational Structure of Three Factors 


When our academic activity involves analysing criminal phenomena, we naturally relate 
this social problem to the whole society. When our efforts are directed at tackling this 
problem, regardless of whether we are able or unable to erase these clouds from society, we 


first seek help from law. In fact, cybercrime is usually regarded as a legal phenomenon 
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regulated through criminal law, which is a branch of law that has the longest history, dealing 
as it does, with issues of crime and punishment. Feldman (1993, pp. 4-6) claimed that 
criminal law has a moving border accommodating crimes of various forms, implying that 
offences may be criminalized or decriminalized over time or across jurisdictions. In the 
temporal dimension, the change of criminal law over time necessitates legal reform, while in 
the spatial dimension, the difference in criminal laws between the various countries requires 
international harmonization. The emergence of cybercrime engenders both challenges. 
Analysing the elements of cybercrime helps to structure the legal system in the new field. 
The process of criminalization and penalization of various cybercrimes must be based on the 
reorganization and reconstruction of traditional criminal law. The incorporation of 
cybercrime not only increases the quantity of clauses, but also enriches the content of 
criminal law; it not only influences the literal provisions, but also helps to update the 
conventional notions; not only does it take into account the criminal “law,” but it also 
considers criminal policy. The general principle of criminal law has been concluded as 


“nullum crimen, nulla poena sine lege.”’® 


Nevertheless, at the same time, “[E]ven those laws 
which have been written down are best regarded as not unchangeable.” (Aristotle Aristotle, 
cited in Vernant, Jean-Pierre ed., 1995, p. 148) Timely amendment is a prerequisite for a 
penal code to meet the need of social change and for combating crimes. 


As a social phenomenon, crimes change with the development of society. It has 





'© The Latin maxim literally means that “no crime, no penalty without law.” Initially incorporated by 
Paul Johann Anselm Ritter von Feuerbach as part of the Bavarian Code in 1813, the principle has been 
broadly adopted in both national and international laws. Many countries provide for the principle in 
their constitutions. For example, Chapter 1 Section 8 of Constitution of Finland provides the principle 
of legality in criminal cases, saying that “No one shall be found guilty of a criminal offence or be 
sentenced to a punishment on the basis of a deed, which has not been determined punishable by an Act 
at the time of its commission. The penalty imposed for an offence shall not be more severe than that 
provided by an Act at the time of commission of the offence.” (Constitution (731/1999), Translation 
provided by Finland Ministry of Justice). 

Other countries provide it in their criminal laws. For example, Section 1 of Criminal Code of 
Germany provides that “An act may only be punished if its punishability was determined by law 
before the act was committed.” (As promulgated on 13 November 1998. Translation provided by the 
Germany Federal Ministry of Justice) International agreements also adopted this principle. For 
example, Article 22 of Rome Statute of the International Criminal Court, 17 July 1998 prescribes that 
“1. A person shall not be criminally responsible under this Statute unless the conduct in question 
constitutes, at the time it takes place, a crime within the jurisdiction of the Court. 2. The definition of a 
crime shall be strictly construed and shall not be extended by analogy. In case of ambiguity, the 
definition shall be interpreted in favour of the person being investigated, prosecuted or convicted... ” 
Article 7 (1) of European Convention on Human Right has a similar provision. 
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previously been recognized that with the advent of ICT, social change brought about by 
technology is capable of occurring with devastating rapidity. Social scientists should make 
efforts to identify the bases of the transformation occurring in the information age, a 
transformation which is happening faster than ever before (Peters 1971, p. 31). The theme 
considered within this dissertation is that despite the fact that society is increasingly 
dependent on information systems, cybercrime is eroding the underpinning of this society. 
“How to implement appropriate sanctions on cybercrime?” becomes one of the important 
questions society ought to answer. There have already been a number of preliminary efforts 
to analyse cybercrime and punishment, though the current achievement are somewhat 
fragmentary. | 

While ICT is an instrument that people designate to promote social welfare, the 
distinctive nature of cybercrime is social harm. The technology itself, nevertheless, contains 
no value judgment. It can only be used to satisfy revelation of both virtue and vice. Even if 
people deliberately use the technology to promote virtue and to restrain vice, this can have 
only a limited function. The purpose of all laws, particularly criminal law, is to protect 
individual, collective, public, or state interests by using the threat of punishment and by 
executing punishment to make the threat realized. But with cyber offences something more is 
needed. Consequently, the liability mechanism has been deployed as a necessary remedy for 
the abuse and misuse of technology (see especially Chapter X of this thesis). 

At the same time, the vulnerability of information systems '® exposes them to potential 
threats from social actors motivated by different desires. As Bertrand Russell stated that, 
“Life is nothing but a competition to be the criminal rather than the victim” (Russell 1920, in 
Griffin 2001, p. 215). Due to the potential for harm, cybercrimes and cybercriminals certainly 


concern governments, law enforcement, and international organizations. The liability of 





'7 Tn Chapter V, I shall give the details of cybercrime as a research subject. An alternative proof can be 
acquired through checking library catalogues or online databases, in which thousands of books, 
journal articles, reports, and legislative documents, and cases are deposited. 

'S According to the U. S. Federal Standard 1037 C, the term information system has the following 
meanings: “1. A system, whether automated or manual, that comprises people, machines, and/or 
methods organised to collect, process, transmit, and disseminate data that represent user information. 2. 
Any telecommunications and/or computer related equipment or interconnected system or subsystems 
of equipment that is used in the acquisition, storage, manipulation, management, movement, control, 
display, switching, interchange, transmission, or reception of voice and/or data, and includes software, 
firmware, and hardware.” See Federal Standard 1037C, MIL-STD-188. 
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cybercrime has become a new subject-matter in criminal law, tort law, and even contract law. 
As Smith, Grabosky and Urbas (2004) pointed out that, (their) previous studies had 
carefully described likely kinds of digital crimes and had furnished many appropriate 
preventive measures to stop crimes of this nature (p. 14). In order for our society to continue 
to flourish, legal certainty should be extended to guarantee that criminal activities committed 
in cyberspace are punished in the physical world. Starting from the accepted premise that 
social science theory can add help design and shape the social process (Coleman 1990), this 
dissertation focuses on the criminalization of offences, the harmonization of jurisdiction, 
international cooperation, and integrative prevention mechanisms. It will review and evaluate 
critical factors confronting the criminal-law system so as to give feasible policy 


recommendations for dealing with cybercrimes more effectively. 


1.2 Scope and structure of the study 


The scope of this study covers four aspects: information, the Internet, cybercrime and 
deterrence. Information provides an extra impetus for the development of society. The 
Internet poses great challenges to the legal system. Cybercrime is the cloud hanging over this 
interconnected information society. Deterrence is an attempt to eliminate the cloud. 

Information has all along been an increasingly dominant factor in the development 
process of civilization, as human beings sought shortcuts to speed information transmission 
and expand the span of information distribution. The inventions and discoveries of the earlier 
periods, particularly those in the field of the recording, transmission, distribution, transaction, 
consumption, and processing of information, constantly enabled society to develop. Today, 
all communication industries have their mission to satisfy the requirement for overcoming 
obstacles of communication over time and space. With the utilization of electricity, 
information transmission has reached the velocity of light (Cornish 1982, pp. 43-49). During 
the past two centuries, the telecommunications sector has developed rapidly, particularly 
when people have introduced innovative communications technology one after another. 

The limit of human beings’ own ability requires us to invent constantly. Various vehicles, 
including cars, trucks, tractors, boats, ships, planes, have the capacity of carrying goods and 
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passengers that people cannot carry. Cartridge, jet or laser printers have an absolute speed to 
produce printouts faster than any traditional transcribers do. Bullets, guns, tanks, warplanes, 
and warships are more than ever used to damage the enemy’s visible rivalry. The function of 
computers to process information, the function of deposit media to save information, and the 
function of the networks to transmit information all pose new challenges to traditional 
notions. Through computer systems, information reaches every corner of the globe and every 
field of social production, becoming one of the crucial symbols of contemporary society and 
one of the fundamental bases of human life. 

In addition, scientists have connected millions of computers into a global information 
network, which is the Internet. This transformation has been brought about by ICT (Division 
of Information 2001, p. 2) (Australia). ICT has much strong power such as compression of 
time and distance,” informability, relative easiness of access, targetability, and relative low 
cost (Public Management Service, PUMA 1998, pp. 15 and 34). The present reality is the 
reification of the past expectation. More than two decades ago, Hamrin (1982) anticipated 
that more individuals would be implicated in the management of information than were 
employed in traditional industries and private services combined (p. 66). In fact, the rapid 
development of the information industry proves that the worldwide labour force is moving 
forward in this direction, and the traditional industries have fallen, declined, have turned 
themselves into an information industry, or have turned to the services of the information 
industry. More and more actors, including individuals, groups, organizations, corporations, 
political parties, and state agencies are playing survival games on this new arena. The 
transformation of this micro social system has turned out to be a powerful force that impels 
the transformation of the whole society. 

The juridical sector is not exempted from this change. The entire legal system has 
undergone a continuous update in the information age. New legal events demand the 
attention of the legislature and judicature. Information systems are vulnerable to both internal 
and external factors. Critical infrastructure is inevitably confronted with potential abuses 
(Council of Europe, Convention on Cybercrime, Preamble) and attacks (Sofaer and 


co-workers 2000). The tasks of both protecting the legitimate interests and punishing 





'° “Compression of time and the annihilation of space” was referred in Harvey (1989, pp. 293-295). 
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illegitimate activities fall on legislation and law enforcement. A perfect legal framework 
(substantive law) and perfect judicial procedures (due process) are both necessary for this 
ideal to be realized. However, the ideal has inevitably suffered from frustration and induced 
critiques. Law and procedure can never be perfect. Even though the appropriate legislation 
had been drafted, cybercrime already emerged a decade after the invention of the computer. 
After three decades, cybercrime has become a noteworthy and costly act, described as a 
“multifaceted phenomenon”, which comprises illegal conducts involving hardware, software, 
and data (Parker 1990, p. 181). The topics of cybercrimes and cybercriminals attract the 
attention of both individual and organizational players, and are addressed in local, national 
and international forums. Although the discussion in this dissertation has been more or less 
linked to the criminological theories mentioned at the beginning of this chapter, the 
exploration, description and explanation developed in the following chapters are not 
presented in a way to coincide deliberately with these theoretical aspects. Rather, the contents 
are arranged in a way to reflect the intrinsic structure of the thinking hitherto established in 
this specific order. 

In Chapter 2, information is classified according to its value into five categories, 
including information with positive value, value-neutral information, valueless information, 
information with negative value, and information the value of which is disputable. The 
Chapter further analyses the interaction between information and criminal law, particularly 
the necessity for criminal-law reform in the information age. 

The purpose of Chapter 3 is to introduce the social-technological background of the 
emergence of cybercrime and the necessity for a legal response. The pervasiveness of 
information and communications systems brings about a legal gap in regulating the new 
crimes and new forms of existing crimes. There is also the necessity for extending the objects 
that the criminal law should protect. The rapid advancement of technology and the inertia of 
criminal law form a sharp contrast. The multiple roles of computer systems in crime, and the 
decentralization of the Internet make it more complicated to combat cybercrime effectively 
through any single measure. 

To address the challenges posed to criminal law by information systems, it is necessary 
to clarify how the phenomenon stands from the legal viewpoint. Chapter 4 concentrates on 
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the phenomenology and typology of cybercrime. The dissertation proposes a unified 
definition in a broad sense in order to reach a high degree of international consensus. In 
addition, as a development of a previous classification method, the chapter divides 
cybercrimes into seven categories according to the different roles that information systems 
play: crime in which information systems are used as media, target, tool, route, place, means, 
and crime in which information systems are used in preparation for further offences. 

Chapter 5 is set out on the understanding of cybercrime as a research topic. The 
phenomenon has attracted increasing attention in scientific research: as a topic for criminal 
science literature, a university course, a subject for a degree thesis, a theme of 
multidisciplinary research, and a professional speciality. The research methods of this topic 
rely on information systems. Literature research, court decisions, and international 
comparison become more accessible with the accumulation of online information. 
Experiments are also available in some laboratories. 

Chapter 6 looks at the characteristics and motives of cybercriminals. With the increase 
of Internet users and information-related activities, the potential cybercriminals acquire more 
opportunities to launch attacks of different scales and from different motives. This chapter 
identifies more than twenty types of motive. The possibility of moving traditional crimes into 
cyberspace has alerted law enforcement to fight against existing cybercrime and to prepare 
for emerging threats. 

Chapter 7 analyses the primary characteristics of cybercrime with special reference to its 
detection and deterrence. The characteristics of the perpetrators, the subjective situation, the 
typical victims, time and space, technological involvement, complexity, costs and losses, 
detection and investigation, conflicts of jurisdiction, and rampancy of the cybercriminal 
phenomenon will be examined. 

In Chapter 8, the dissertation reviews the historical development of cybercrime and legal 
countermeasures. The chapter divides the process into four stages and concludes that 
cybercriminal phenomena have developed almost synchronously with ICT. Cybercrimes are 
in a process of accelerating development and are becoming gradually routinized. While the 
electronic divide thus results in cybercrime divide. The basic conclusion is that criminal 
resources decide the amount of crime, while judicial resources decide the deterrence. When 
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the balance is reached between criminal resources and judicial resources in the long term, the 
criminal phenomena will be saturated at an equilibrium point. 

Chapter 9 analyses criminalization through an international comparative study. Many 
countries have implemented legislation to increase punishment and thereby to reduce 
cybercrime. Different organizations have also implemented international countermeasures, 
though there remains the necessity for adequacy of legislation on cybercrime. Either the old 
law or the new law, either the domestic legislation or the international harmonization, should 
be used to meet the social need and eliminate the legal gap. 

Chapter 10 studies the various forms of liabilities of cybercrime. Criminal sanctions are 
necessary but are currently neither in being nor will be sufficient alone. Civil remedies can be 
complementary to the criminal sanctions. The chapter also analyses liabilities based on 
different subjects, legal bases, the psychological status of the perpetrator, functions of the 
liabilities, and so on. The chapter concludes that a liability mechanism of broad coverage is 
necessary to combat cybercrime. 

Chapter 11 focuses on the theme of cybercriminal jurisdiction. Because of wide 
distribution of cybercriminals and the lack of legal consensus, cyberjurisdiction is becoming 
a problem that legislation and law enforcement must deal with. It is necessary to create 
workable rules that bridge the local, national, and international boundaries. This chapter 
reviews the traditional basis of criminal jurisdiction and some new theories concerning the 
rebuilding of a basis for criminal jurisdiction. The chapter concludes with the idea of a 
liability-based jurisdiction and some focal points of cybercriminal jurisdiction. 

Chapter 12 reviews the international impetus of criminal-law initiatives in combating 
cybercrime. This chapter classifies the actions of international harmonization into 
professional, regional, multinational and global actions, summarizes the major concerns 
arising from these actions, and evaluates the influence of the Convention on Cybercrime at 
the national and international levels of legal countermeasures. The chapter also points out the 
limitations of the previous actions and anticipates the UN playing a more important role. 

Finally, Chapter 13 concludes the whole dissertation by emphasizing that cybercrimes 
are different from traditional crimes and thus pose new challenges to the legal systems, and 
that criminal law plays a necessary but limited role in combating cybercrime. With the 
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routinization of the phenomenon of cybercrime, criminal-law reform will slow down. Overall, 
solutions should be found from the impacts of vulnerabilities and motives. The vulnerabilities 
should be eliminated by technological means, while the motives should be eliminated by 
legal instruments. 

In sum, the issue of motivated criminals is mainly dealt with in Chapters 3, 4, 6 and 7; 
exposure of victims in Chapters 3 and 4; and absence of guardianship in Chapters 2, 3, 7, 9, 
10, 11 and 12. Two aspects are apparent here: First, the factors explored in Chapter 3 have 
effects by all the three aspects, that is, they clarify the motives of the criminals, expose the 
vulnerabilities of the potential victims, and at the same time reveal an absence of 
guardianship. The factors explored in Chapters 3 and 4 serve as investigating tools to clarify 
both the motives of criminals and exposure of victims. The factors explored in Chapter 7 
serve to elucidate both the motives of criminals and absence of guardianship. It is evident in 
cybercrime that the three aspects of the routine-activity theory are intertwined together to 
form an integrated entity. 

Second, lack of guardianship and efforts for deterrence are always hand-in-hand. Lack of 
guardianship necessitates efforts for deterrence; inefficiency or ineffectiveness of deterrence 
demonstrate a further lack of guardianship; and so forth. While the routine-activity theory was 
established as an ideal model, my attempts here give more consideration to the parallel 
development of increased cybercrime and improved deterrence. 

In a dynamic process of crime and deterrence, the three aspects in the ideal theory do, 
indeed, interact with each other. Through the focus on interaction we can draw ideal theory 
into the field of cybercrime inquiry, and endow it with power. 

It is necessary to emphasize that this dissertation is focused more on the cybercriminal 
phenomena themselves, that is, to explore, describe and explain them. While quite a few 
space is left for legal countermeasures, answers to questions “What has been done?” and 
“What has to be done?” are not deeply dealt with. They serve more to assist fulfilment of the 
overall objective of the dissertation than as a target of critique, which deserves a specialized 


discourse, particularly one relating to subsequent judicial practice. 
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CHAPTER 2. LEGAL ROLES OF INFORMATION SYSTEMS 


2.1 Introduction 


After the introductory text of this chapter, I am now going on to discuss the 
subject-matter in detail. The following chapter will deal with the conception and 
classification of information in the domain of law, and the challenge it poses to the traditional 
legal system. 

When we explore society, we begin with observing human beings ourselves. Human 
beings have a determination of orientation to survive and to front the uncertain, unstable and 
uncontrollable environments, both physical and social environments, whether natural, 
constructed or cyber (a theme developed in Chapter 1, Section 1.1 based on Coleman 1990). 
It is this orientation to survive the uncertainty and to know the unknown that propels human 
beings to reshape the already shaped, reconstruct the already constructed, and reorganize the 
already organized. 

While the discussion here will not be reduced to philosophical assertion, I accept that 
change is the eternal attribute of society.” Accumulation of information contributes greatly 
to social transformation. Digital information has become the decisive innovative factor in 
economic development and the leading resource in contemporary civilization (Molitor 1982, 
p. 84; Fisher 1984, p. 1; Rabin and Jackowski (eds) 1988; Daler and co-workers 1989, p. 13). 
Just as good land is a decisive factor for the agrarian economy, capital for the industrial 
economy, existing knowledge is a decisive factor for the information economy (Stonier 1983, 
p. 21). The relationship between these factors is not simply parallel, but progressive. In 


contrast to land, capital and information are more closely linked to human interactions. In 





© It has long been recognized that both nature and society are changing. What Heracleitus said “One 
cannot step twice into the same river,” (Heracleitus 1979, p. 168) can be understood broadly as 
recognition of a changing world. The present day idea of change is accepted as the inherited nature of 
existence. 
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contrast to land and capital, information is more closely linked to interactions of human 
intelligence. To say their relationship is in a progressive style is to say that information is the 
newer and higher level of achievements of human efforts (See Table 1). The implication of 
the recent information revolution lies in the fact that it is designed to eliminate the shortage 


of knowledge by processing data and information. 


Table 1 Land, Capital and Knowledge 














Factors Land Capital Knowledge 

Forms of _ the | Agrarian Industry Information economy 
economy 

Forms of | Non-interaction Human-human Human-machine-human 
interaction interaction interaction 














Information is therefore the enormous wealth of the social progress, which has been 
considered the fourth resource (UNCJIN 1999, Paragraph 85), alongside natural resources, 
property resources, and human resources. In contrast to other resources, information can be 
regarded as the only resource that can really be shared (Stonier 1983, p. 19). Fisher used a 
metaphorical statement describing information as power, “power to manage, power to 
manipulate, power to control” (1984, p. 1). Tapscott, Ticoll and Lowy (2000) further 
discussed the conception of digital capital in terms of business, stating that digital capital 
emerged from the incorporation of three types of knowledge assets: human capital, customer 
capital, and structural capital (p. 5). With the network, people could “gain human capital 
without owning it; customer capital for complex mutual relationships; and structural capital 
that builds wealth through new business models.” (ibid.) 

Other scholars further put information into a dynamic wealth-creating process, regarding 
information (particularly knowledge) a “key wealth-creating assets” (Porter and Read 1998, p. 
26) apparently in a dynamic productive and reproductive process. Information processing is 
thus a process of promoting social productivity. 


Unquestionably, the traditional resources have been seen as incomparable with the 
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capacity of information, which can bring about enormous productivity and unprecedented 
social transformation. Information and related technology has created a new epoch, a new 
society, and a new way of thinking for the modern human beings. In our reading of traditional 
society, one thing stands out as fundamentally different from the information society, which 
is information dependent, information abundant, and information shared. Bjérn-Anderson 
and co-workers (1982) correctly predicted that the information society would be 
characterized by the remarkable increase of information flow, the contraction of temporal and 
spatial constraints, the increasing dependence of social life on information systems, and the 
synchronous application of new technology on society (pp. xi-xii). It is apparent that people 
consider information as being of positive value and grant potential power in its conceptual 
category. 

People usually distinguish information from both data and knowledge. According to 
Stonier (1983), data is a series of unconnected facts and observations, likely to be changed to 
information through refining or organizing activities, while knowledge is organized form of 
information, providing the basis for insight and judgments (p. 19) Detailed relations between 
the terms can be illustrated as in Figures 2 and 3. On the other hand, information at one level 
may merely be data at another level (ibid). Finally, there can never be a clear limit between 
these terms. They are usually used interchangeably. For example, knowledge is the highest 
level of data or information, but people do not talk about knowledge security instead of data 
security and information security. In addition, information systems are actually “data 
systems”,”' but the favourite term in various disciplines is still “information systems”. In this 
study, the word “information” is priority choice where these three words can be used 


interchangeably. 





*I' See Johnson (1970) stating that “Data system is used here to designate the artefact that consists of a 
digital computer, a control program, and an accessible library of programs and data.” (p. viii). 
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Information 





A proportion of data is information, from which a proportion is drawn as knowledge. 


Figure 2 Relations between Data, Information and Knowledge 
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Data processing is achieved through technological development. Information systems 


are a part of critical infrastructure. Knowledge management is an element of productivity. 


The phrases in brackets denote the alternative usage of the terms when they are used 


interchangeably. 


Figure 3 Social Roles of Data, Information and Knowledge 
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In sum, the strong and the wealthy in the agricultural society strive for more and better 
land; the strong and the wealthy in the industrial society strive for more and better capital; 
and the strong and the wealthy in the information society strive for more and better 
information. 

Nevertheless, the term “information” is theoretically used as a value-neutral term. From 
the viewpoint of law, the term “information” stands for “data, text, images, sounds, mask 
works, or computer programmes”, including the process of collecting and compiling them.” 
Important elements involved in defining information in the modern sense include: 

Information is electronized. The current processing form of information is characterized 
by mobilization through electricity, fastest known vehicle. 

Information is digitalized. The current information is processed in the form of digits, “0” 
and “1”. 

Information is computerized. Information is created, deposited, processed and 
transmitted by the assistance of computer, a powerful “information machine” (Konig 1967, p. 
1). 

Information is automatized. The process in which information is created, deposited, 
processed and transmitted is a kind of human-machine interaction. There is no absolute 
automitization. 

Information is networked. Information is transmitted through the networks. It is 
electricity, digits, computer and automitization that constitute the basis of the networks. 

Information is modernized. It is not in a process of modernization, but in a process from 
modern to post-modern. It is modernized thus transformed. The change breaks the 
equilibrium of the conventional control and organization, motivating somebody to harvest 
from deviant actions, exposing somebody else to potential threats, and reducing the 
effectiveness of any safeguard. 

Information is evaluated. The value of information is recognized, accepted and 
respected. 


Lacking any of these elements, the object can hardly be regarded as information. The 





” Uniform Computer Information Transactions Act (UCITA), Section 102 (35). 
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modern definition of information therefore inevitably contains different factors from the 
traditional meaning of this term. Many people nonetheless misunderstand the exact meaning 
of information and consider that law has regulated information for several centuries or 
millenniums. This suggestion ignores the difference between information in the traditional 
sense and that in the modern sense. While the traditional form of information is heavily 
substance dependent, the modern information is processed by digital technique. The present 
information is practically transformed into digital information, regardless of whether it ever 
existed in the pre-computer era. Particularly, on account of the specific form of existence, a 
copy of information is not necessarily different from the original information in content, 
quality and medium. Under such circumstances, the term “information” can precisely cover a 
copy of information.”* In the network environment, information, its copies, and the copies’ 
different digits may be transmitted along the cable, fibre, or wireless networks without the 
spatiotemporal limits. 

Considering the different roles of different categories of information in the legal system, 
it is necessary to classify information according to its value from the standpoint of law. Law 
does not provide equal protection for all kinds of information. On the contrary, law merely 
encourages the processing of information with a positive value, but discourages the 
processing of information with a negative value. Although people deem information systems 
to be part of a critical infrastructure, and we transmit various kinds of information through 
the same information systems, the legal nature of these kinds of information should be 


differentiated. 


2.2 Classification of information in the legal sense 


Social inquiry usually starts from conceptualization (Babbie, 1995). Having talked about 


the conception of information, and not necessarily repeating accepted definitions, this section 


will give a sketch of classification. 





°3 ibid, Section 102 (10). 
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The legal value of information has long been recognized.” The legal effect, validity or 
enforceability of information should not be rejected simply on the ground that it is in a form 
different from that seen in traditional documents.” As in United States v. Adajan case the 
court ruled that computers could be at the same time storerooms of private information that 
must be guarded, or that of criminal proofs that must be identified.”° 

Previously, people were inclined to dichotomize information into legitimate and 
illegitimate, for instance, Sterling (1994). The nature and content of information are far 
broader than merely being legitimate and illegitimate. The value of information can be 
regarded as a criterion for a typology. On this terrain, information can be sorted into five 
categories according to the value it has and by whom it is held: information with positive 
value, value-neutral information, valueless information, information with negative value, and 
information with disputable value in different communities. 

The first category of information, information with positive value has the capacity to 
promote social welfare. The positive value of this category of information depends on the 
content of the information. If the offenders access to or destroy such information without 
authorization, the value of that information would be abused or exterminated. Loss of 
information with positive value, or loss of value of such information, either due to breach of 
its confidentiality, integrity, or availability, diminishes the efficiency of the information 
owner or, in turn, promotes the efficiency of the opponent. Offences involving infringement 
of information with positive value, infringe the rights and interests of the information owners. 
The related acts include unauthorized acquisition, modification of, destruction of, and 
tampering with information, and interference with information transmission. In particular, 
offences related to the ownership of information may possibly infringe the rights to 
information, such as appropriation, unauthorized use, obtaining income, and disposition. To 
copy, retrieve, deposit, publish, duplicate, utilize, promulgate, transmit, conceal, encrypt, 


decrypt, transfer, sell, etc., without authorization or legal permission, are all conducts that can 





** See UN Recommendation on the Legal Value of Computer Records, adopted by the Commission at 
18" session 1985. 

> Article 5, Model Law on Electronic Commerce of the United Nations Commission on International 
Trade Law, Annex of General Assembly Resolution A/RES/5 1/162. 

*6 United States v. Christopher Lee Adjani; Jana Reinhold, No. 05-50092 D. C. No. 
CR-04-00199-TJH-01 OPINION, 13 January 2006. 
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breach the ownership of information. 

The second category of information, value-neutral information indicates that the value 
of information cannot be classified into positive or negative. Rather, it can be utilized as 
either positive information or negative information, or used as positive information or 
negative information. This kind of information cannot either automatically advance social 
prosperity, nor necessarily impair social interests. This kind of information can be either used 
or misused, or simply exists in itself. For example, collections of e-mail addresses can be 
used in sending advertisements of opt-out electronic marketing, or fabricating an advance-fee 
scheme. However, these addresses are value-neutral, as the user names and passwords are, 
too. This category of information is value-neutral from the standpoint that its content cannot 
be judged to be positive or negative as such. 

The third category of information is valueless information. Some information has no 
value, for example, unsolicited commercial e-mail (UCE) or unsolicited bulk e-mail (UBE) 
without information of either a positive or negative value. The distinction between 
value-neutral information and valueless information lies in whether the value-neutral 
information does not induce a question of value judgment, and people cannot evaluate it as 
favourable or unfavourable; while valueless information induces value judgment, and people 
can evaluate it as neither favourably, nor unfavourably, but ordinarily as futile. In contrast to 
value-neutral information, valueless information can be used neither to promote social 
welfare, nor to degrade the social interests. This category of information is valueless by 
virtue of the fact that its content is valueless. However, the process may impair the normal 
order of the cyberspace by disseminating and transferring such information through 
information systems with malicious intent. The transmission of the valueless information 
exploits the bandwidth,”’ forming a worthless data flux and wasting the receiver’s time to 
deal with it. If the fact is of high ambiguity, the users have to spend time to browse around 
the information; even if the matter is of high certainty, the users also have to spend time 
removing the information. Even though each user wastes merely a few seconds or minutes, 


the time wasted by millions or even billions of users will be a substantive quantity. The 





*7 The bandwidth of a transmission channel is “a measure of the information-carrying capacity of the 
channel.” Daintith (2004), p. 38. 
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process will virtually diminish the efficiency and increase the expenditure. 

The fourth category of information, information with negative value indicates that the 
appearance, existence, and dissemination of information are detrimental to the stability of the 
state, public order, and individuals. It does not exist without the intervention of human factors. 
Some are created with malicious intent, for instance, a computer virus;°® some are created 
from a contradiction within one’s value concept, in which he or she regards it as legal and 
beneficial to deal with such information as adolescent pornography, hate speech, etc.; some 
information is falsified information, fabricated with the purpose for defrauding and obtaining 
property or other benefits, or for disparaging, defaming, blaspheming, etc. To reproduce, sell, 
promulgate, publicize such information are all measures that cause monetary losses or other 
damage to others. 

The introduction of negative information into information systems poses a series of risks 
that may lead to perilous and erroneous decisions, and cause impairment, suicide, and 
calamity. The risk of these threats necessitates an increasingly higher level of cybersecurity 
guaranteed by diverse specific services, with increased expenses and personnel. The entire 
society, from individuals, organizations to governments have to deal with the misinformation, 
manipulation of public opinion, and onslaughts against the social order and interests. 

It is necessary to note that information with negative value can be converted into 
information with positive value once that information is recorded and stored by judicial 
agencies as evidence to hold the fabricators and disseminators liable. This does not indicate 
that the value of information changes, rather, that the information is used to prove the 
existence of the actus reus by its specific negative value. It is necessary for success in the 
prosecution of crimes related to information with negative value to seize information as 
evidence. The application of evidence rules should not pose any obstacles for the 
admissibility of information as evidence.”’ It should be granted because of its evidential 


30 


weight.” Therefore, information should be differentiated in both substantive criminal law 





*8 A computer “virus is a programme that is attached to or inserted into another programme...The 
virus may or may not do other things.” (Sadowsky and co-workers 2003, p. 47). In practice, viruses 
usually cause damages to the computer system. 

Article 9.1, Model Law on Electronic Commerce of the United Nations Commission on 
International Trade Law, Annex of General Assembly Resolution A/RES/5 1/162. 

© ibid., Article 9.2. 
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and criminal procedural law. 

Besides the above four categories, there is a fifth category of information the value of 
which is disputable in the legal sense. That is to say, the criteria for evaluating the 
information are different in different countries. For instance, in some countries adult 
pornography is protected as free speech by the constitution and other laws, while in other 
countries its creation, production, duplication, publication, transaction, and dissemination are 
strictly forbidden. Furthermore, information can constitute a kind of political propaganda, 
which is also granted a different legal position in different countries, some having a high 
degree of free speech, and others having tight laws of political libel, and so forth. 

Although information can be distinguished according to subjective judgment, it does not 
in itself represent virtue or vice. The pervasiveness of information does not constantly push 
forward social development and facilitate the maintenance of the legal order. Through 
technological supremacy, all kinds of information play certain roles, exert their influence, and 
gain markets. They are all regulated, intercepted, and monitored. Similarly, they all bear the 
risk of unauthorized access and destruction. In addition, it is possible to obstruct positive 
information by legislation and court rulings, while negative information may be protected 
erroneously. Accordingly, information products and services, sources and destinations, 
storage and flux, domestic and international information, and public and credential 
information bring about the complicated process of value judgment. In this dissertation, 
except when otherwise mentioned, the term “information” is used in a positive sense. 

The full power of information has been realized through ICT, which has a broad impact 
on social lives, including maintaining the common traditions through improving the 
accessibility of information about religious practices; keeping cultural continuity through 
access to more information; enabling governments, commercial businesses, news and media 
organizations, as well as educational organizations to perform their functions well; and 
increasing collective activities and interests through an improved work process and social 
interaction (Cnaan and Parsloe 1989; Committee to Study the Impact of Info, National 
Research Council Commission of the U. S. 1994). 

Simultaneously, due to the accelerated accumulation of information, the management of 
information poses a great challenge to the public and private sectors (Daler 1989, p. 13). Both 
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internal and external threats may cause unexpected loss to individuals or organizations. The 
resources invested on information management have to be increased. In turn, information 


systems will further propel the advancement of the society. 


2.3 Information and the legal gap 


Digital information is a novel product of technological progress aimed at promoting 
social welfare through improving productivity. Information and other products of information 
technology, however, do not always play a positive role as people sometimes expect. In fact, 
many human expectations are left vacant in social reality. Society never previously got rid of 
unforeseeable trouble for information of a positive value and that of a negative value was not 
easily distinguishable or filterable before information systems came into being. Nowadays, 
both the information itself and the relevant technology have a significance within the legal 
framework, because they should be either protected or prevented by law. Legal activities can 
involve information and ICT in different ways. The conventional legal notion is to be 
innovated to accommodate the inevitable role of information. The existing legal coverage 
should be extended to facilitate the protection or prevention of information processing and 
information abuse. Furthermore, co-operative preparedness and jurisdictional adequacy are 
required for promoting the effectiveness of law enforcement. 

Information and communications technology takes the traditional society into a brand 
new stage that people call the information age. The existence and development of the 
information society requires a feasible social environment. The primary tasks that the legal 
framework bears are to provide legal assurance for the healthy and orderly development of 
information and telecommunications, and electronic and mobile commerce. Law does so 
through facilitating growth and eliminating obstacles. The information society is 
accompanied by various concerns about data security and privacy protection. The prevalence 
of insecurity and infringement threatens the whole environment of the new technology, new 
economics and new welfare. Such insecurity and infringement lead to the creation of 
defensive and remedial legal instruments against cybercrime, composed of both substantive 
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and procedural provisions, and of both domestic and international legal adequacy. The 


complete legal structure of the information society can be illustrated as the following: 


Table 2 Facilitative Law, Protective Law and Remedial Law 














Categories Facilitative Law Protective Law Remedial Law 
Functions Facilitating growth, | Avoiding insecurity, | Domestic 
eliminating preventing criminalization, and 
obstacles infringement international 
harmonization 
Coordinated sectors International forum, | Public sector, private | Public sector, private 
Domestic forum sector sector 

















The topic of this dissertation contains no more space for facilitative law. The following 
sections are devoted to analysing the legal gaps accompanied by the proliferation of 


information systems. 


2.3.1 The lag of a legal notion 


Many scholars regard information as the third form of protective object in criminal law, 
alongside person and property. Accordingly, the criminal-law theory has been adjusted to 
contain the new protective object. Some others, however, insist that information is not the 
third protective object in criminal law; rather, they consider it as belonging to the category of 
property.*’ They have criticized both the claim that information is the third protective object 
and the claim that information is not a protective object covered by criminal law. 

Conventionally, “information” in the form of digits was not previously covered and thus 
not protected explicitly by criminal law. Just as traditional economic doctrines maintained 
that only land and manufacturing rather than the service sector produced real wealth (Stonier 


1983, p. 25), traditional legal theories maintained that only wealth represented or produced 





3! Many of such arguments and discussion can be found in articles published in the 1980s, for example, 
BloomBecker (1981), pp. 16-17. 
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by land and manufacturing deserved legal protection. However, once the requirement to 
protect information emerges, conventional concept has to meet the needs of social 
development. Therefore, to say that information was not and should not be protected by 
criminal law is outdated. In fact, the majority of scholars and legislatures have not accepted 
that it should be protected. 

Information has been protected by criminal law in two ways. While there are people 
suggesting that law should not protect information, some others assert that information can be 
protected by a means equivalent to the protection of property. That is to say, information 
should be categorized as being in the same domain as property. People consider expanding 
the arm of criminal law to information just as they did to electricity. 

On the other hand, from ancient to modern times, criminal law has in effect been 
handling crimes related to information in different forms other than the electronic one, such 
as libel, perjury, forgery, blasphemy, hate speech, copyright, trademark, patent, and so forth. 
In practice, information does broadly cover those specific traditional forms, such as oral, 
written, and printed forms, and more recently the forms stored, and transmitted by electronic, 
magnetic, and optical carriers, including the telephone, facsimile, radio, television, satellite, 
and nowadays computers and networks. When people face digitally computerized 
information, they pay a lot of attention to the existence of information in traditional forms, 
and thus give new life to traditional information crimes. Our general notion should be 
changed in order to adjust to the new ways of “thinking, writing, arguing, and valuing” in the 
information society (Lanham 1993, p. 229). The semantic practices of the latter society are to 
label everything with a mark of “information” or to refer to its physical vessel “the 
computer” or to “the network.” 

It is an issue of “concept innovation” rather than criminal-law reform to recognize this 
point, but this concept innovation is necessary during criminal-law reform. Many crimes can 
be reconsidered in the light of the prevalence of the concept of information. With 
electronization, computerization, digitalization, automatization, and networking, these crimes 
become more apparently characterized as involving information. This justifies a wide 
expansion of punishment for the traditional offences involving information or information 
systems. Anyway, criminal law cannot demand a further expansion except through our 
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understanding of the nature of these crimes. The social and technological developments have 


been impacting on criminal law. 


2.3.2 The legislative gap 


Information is an emerging object protected by laws designed to maintain social order 
and protecting social benefits. The conventional penal code has been designed to address 
crimes involving “tangible and visible objects” (UNCJIN 1999, Paragraph 84). The 
increasingly higher value of information poses unprecedented legal challenges, demanding 
new legal responses (ibid). Information has a value for specific owners and _ users. 
Cybercrimes often involve the illegal obtaining or destruction of information. Because 
information, programmes, databases, computer services or computer time, are intangible and 
invisible, conventionally the law has not recognized what to do regarding them and has 
difficulty in providing even the definitions essential to defend this type of property involved 
(BloomBecker 1983, p. 11). Because of the lack of a clear definition of information as a 
valuable interest, the existing law does not easily conduce to successful prosecution. What is 
needed is that the existing laws should be adjusted to guard the abstract “information” itself 
rather than merely the computers in which the information is generated, the media in which 
the information resides, the cables by which the information is transmitted, or the Central 
Processing Units (CPUs) where the information is processed. 

The sphere to be covered by the new laws includes the use of ICT to make existing 
crimes more perceptible, to enable the inclusion of new forms of existing crimes, and crimes 
that specifically attack information systems (European Information Society Group, EURIM 
2002). Some countries have taken action to protect information as property in the traditional 
sense. On the other hand, some other countries exclude the concept of information from 
traditional crimes. Consequently, a noteworthy doctrine in criminal law rejects the 
independent position of information as one of the protective objects, which were 
conventionally confined to human being and property. 

On the issue of information as property, there have been endeavours to adopt burglary 
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law to acts of illegal access in which the cyberspace is supposed to be the equivalent of a 
domicile in genuine physical space.” Nevertheless, in this endeavour, people ignore the 
distinction between the threats of the two offences. What is endangered in burglary is not 
what is endangered in illegal access. In burglary, what is directly endangered is the security 
of life and property. In illegal access, what directly endangered is the security of information. 
Information is not the equivalent of life and property, though it is likely to be indirectly 
pertinent to life, and can generate benefits or cause losses, or measured by a definite amount 
of money. The offences of illegal access, nonetheless, belong to the activities infringing the 
security of information, but not the right or security of life or property. 

By using the terms traditionally used to indicate the misconduct in traditional offences, 
the offences against information seem to bear a similarity to traditional offences. Yet many 
people still doubt how a pair of hands can hold a piece of digital information. Strangely, we 
can frequently take notice of a question as “Can information practically be stolen?” The 
genuine uncertainty behind this question is “does information really exist in material form?” 
In addition, the intrinsic meaning potentially ignores the entity of digital information before 
human organs can perceive it. They accept only information printed on paper, shown on a 
screen, spoken in a backroom, transferred into a smell, or into an impression in any other 
form. Nevertheless, it is significant to note that the fact of obtaining information includes a 
pure perception of the content of the material. It is not necessary for the information to be 
physically moved or copied. For instance, the U. S. law criminalizes access to a computer 
without sufficient authority and thereby getting financial information, or to any information 
controlled by the government, and access to any confidential information where interstate or 
overseas business is involved in the criminal act.** In many countries, the law further details 
the act of “obtaining data” by different terms, such as copy, output, and theft. 

Digital information is not comparable to traditional property, and thus specific legal 


provision is required to protect it. However, it is undeniable that information is often related 





* For example, entering the computer facility with the intent, by whatever means, of discovering 
another’s account number for purposes of stealing computer time constitutes burglary under California 
law and will be prosecuted. See Bruin OnLine (BOL), Information for New Users, 2004. Retrieved 15 
March 2007, from https://www.bol.ucla.edu/cgi-ssl/accounts/newuser 

3-18 U.S.C. § 1030 (a) (2). 
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to property, or even health and life. The protection of information will surely facilitate the 
protection of property, health and life. In different countries, punishments for offences against 
property and person involving information have different starting-points. Some countries 
directly apply traditional law to these offences, such as the Penal Law of China.’ The 
Articles 285 and 286 create several new offences in respect of information or information 
systems. And another article, Article 287, provides for the application of separate provisions 
in the Penal Law to penalize traditional offences, such as financial fraud, theft, embezzlement, 
misappropriation of public funds and theft of state secrets, and would now cover computer 
information systems, other than in respect of illegal intrusion and destruction. The Article 
indicates that all the offences that can possibly involve computer information systems are to 
be punished. Some other countries merely apply the law to acts involving information, as the 
law in the U. S.* The 18 U.S.C. § 1030 creates several new offences targeted at information 
and information systems, and expands several traditional offences to acts involving 
information and information systems. However, the default doctrine is that the offences 
which possibly involve information and information systems, but are not criminalized 
explicitly by law, would not be punished. 

Nevertheless, criminal law is also confronted with some other gaps brought by the rise 
of computerized information, specifically, the sphere of illegal access to and illegal 
interference with information and information systems. The Internet has a universal impact 
on the ways by which people acquire and transfer information. The opportunities for 
cybercrime are correspondingly increasing with the extensive access to computers and the 
Internet. To protect against cybercrime, effective actions at the local, national, and global 
levels can be taken (Sofaer and co-workers 2000). Nevertheless, the overall contemporary 
legislative situation is unsatisfactory: not all jurisdictions are covered by laws criminalizing 
cybercrimes; not all legislatures are synchronous with the development of technology and the 
abuse of it (Gelbstein and Kamal 2002, p. 3); and nor can people update their conventional 


notions all the time. 





+4 See Articles 285-287 of Penal Law of China, 1997. 
> See 18 U.S.C. § 1030. 
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2.3.3 The jurisdictional gap 


The challenge to the contemporary legal system of digitalized information and its 
pertinent technology requires that countries with no law regulating the new object should 
enact laws, and that countries with such law should harmonize their laws. The starting-point 
of this harmonization and cooperation is the creation of coordinated definitions of 
information and information systems. Some countries provide definitions of information and 
information systems in their criminal laws, but there exist substantial differences, though in 
the primary aspects they are similar. In addition, the gap between the existing laws of 
different jurisdictions produces a safe haven*° for the perpetrators of many kinds of offences 
involving information and information systems. This situation necessitates an extended 
discussion in Chapters 11 and 12, dealing separately with trans-border jurisdiction and 


international harmonization. 


2.4 Conclusion 


Being informed is not necessarily beneficial. Informed by useful information, people 
can better compete in the social life. Informed by useless information, nothing better or worse 
will happen than a waste of time. Informed by harmful information, people would possibly 
weaken their own competitive force. Presently, all kinds of information are transmitted 
through the same information systems. Interference with transmission of useful information 


causes people to be less informed. Interference with transmission of harmful information 





°° The term “haven” is widely used by scholars or mass media to denote a country where there is no 
effective legislation or law enforcement for combating cybercrime, on academic materials, for 
example, McConnell International (2000), etc. News report, for example, William J. Kole, Romania 
becoming a haven for cybercrime, 17 October 2003, Associated Press. Retrieved 15 March 2007, from 
http://www.chron.com/disp/story.mpI/tech/2163754.html; The Nigerian Village Square, Nigeria: 
Haven for Terrorist Internet Communication? 4 August 2004. Retrieved 15 March 2007, from 
http://www.nigeriavillagesquare1.com/Articles/oyesanya/2004/08/nigeria-haven-for-terrorist-internet.h 
tml. The terminology “haven for cybercriminals” is rather offensive to those countries referred to or 
implied. 
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—and even useless information- also causes waste in identifying the value of information. 
Cybercrime can lead to both of these situations. With the introduction of information and 
information systems into society, protection and prevention become the imperative tasks that 
jurisprudence, legislation, and law enforcement are confronted with. There has not been 
adequate preparedness to respond to cybercrime. The process of recognition and acceptance 
requires much time. The imperative requirement is for people to be well informed about the 
loopholes the legal system has and how they can be altered. 

After clarifying in this chapter the potential change information systems can take to the 
legal system, particularly towards criminal law, the dissertation will begin to deal in the next 
chapter with the new criminal phenomena on the information networks, starting from a 
discussion about the exposure of the vulnerabilities of the networks to potential criminal 


activities. 
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CHAPTER 3. VULNERABILITIES IN INFORMATION SYSTEMS 


3.1 A process of cyberization”’ 


Society depends on the environment. However, the extent of the dependence changes 
over time. The general tendency is that societies in the newer stages are less dependent than 
the societies in the older stages. It is obvious, for example, that different environmental 
factors play different roles in the economy. 

The agricultural economy has been cultivated by biological power, the industrial 
economy mobilized by mechanical power, and the information economy facilitated by 
information power. From the agricultural economy through the industrial economy to the 
information economy, the roles of natural factors are becoming less and less significant. 
Earlier forms of economic activities were mainly decided by the mercifulness of nature: the 
fertility of the soil and the feasibility of the climate. Later forms of the economy, such as 
commerce and industry, were due equally to natural factors and social factors, in particular, to 
the invention of instruments and innovation of institutions. As the newest form of economy, 
the information economy is mostly established on information systems. 

Information systems are producer, container, processor, and transmitter of information. 
The Internet bears an identity of technological creation and technological concept, under 
which the connection of computers forms a network, while the congregation of networks 
forms the Internet (Forcier and Descy 2002, pp. 40-60), being borderless and decentralized, 
and connecting global computers by Hypertext Transfer Protocol (HTTP). The Internet is 
merely a wide-reaching congregation of computer networks supported by Internet technology, 


providing possibilities of mutual communications and of access to information.*® It does, 





*7 See Mead (1999), defining cyberization as “the process of making the whole world digital instead 
of analogue so it can be available anywhere, any time—the essence of cyberspace.” (p. 11) 
38 Reno vy. American Civil Liberties Union, Supreme Court No. 96-511, 26 June 1997. 
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therefore, not only link machines, but also more importantly “links people, institutions, 
corporations and governments around the world.”*” Each of the services that the Internet 
makes available may possibly bring about legal problems, increasing opportunities of 
cybercrime (Grabosky 2000, pp. 2-3.) 

Although countless statistics and empirical studies have tried to depict the development 
of the Internet, in this section, I shall try to present an illustration of the Internet through such 
aspects as the increase of Internet users, web sites, Internet hosts,” web pages, bandwidth, 
and the growth of e-commerce. I make use of the term “indicator” to denote these factors in 
describing the size of the Internet. 

The first indicator is the number of personal computers (PCs) and the Internet users. The 
scale at which information technology has influenced society can roughly be measured by the 
proportion of the population with access to computers and the Internet. The primary function 
of information systems is to process and share information.*' The more the computers are 
manufactured, traded and used, to a higher extent will society depend on this intelligent 
machine. The more the people are connected to the Internet, the greater the share information 
systems-mediated telecommunications will have for the entire market. In no easy way can we 
count personal computers in use globally, but according to the International 
Telecommunications Union, up to 2004, there were approximately 772 million personal 
computers in use in the world (GeoHive 2006). It means that practically thirteen percent of 
the world population are PC users (ibid.). While the Internet has expanded into 214 countries 
and world regions, the worldwide Internet users have been increasing fast in the past ten 
years." The Internet users reached one billion in 2005, 1.15 billion in 2007, and the growth 
rate is still high (Internetworldstats.com 2007). 

The number of Internet users has a high referential value in measuring the importance of 


cybersecurity, and the harmfulness of cybercrime. The increase in the number of users 





American Civil Liberties Union v. Johnson (Tenth Circuit No. 98-2199, November 1999). 

“° Host computer is ““a computer that is attached to a network and provides services other than simply 
acting as a store-and-forward processor or communication switch.” Daintith (2004), p. 247. 

“! Panavision Intl. v. Toeppen, Ninth Circuit No. 97-55467, D. C. No. CV-96-03284-DDP, 17 April 
1998. 

“ Of the 233 countries and regions in the world, only the data for 19 countries are unavailable 
according to the Web site of Internetstats.com. See Internetworldstats.com (2007). 
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represents a transition from non-PC-users to PC users, from non-Internet-users to Internet 
users, which in turn represents a transition from a lower likelihood of being informed to a 
higher likelihood of being informed—informed by information of various value orientations: 
coincident with inherent value notion, or contradictory to it. Problems emerge during the 
process of personal changes to PC usage caused by the subsequent access to more 
information and social changes as a result of its members’ access to ever-more information. 

Suppose the total population constant, the users are fewer than non-users but increasing 
at a phenomenal rate, while the non-users are more than users but decreasing, a movement 
from non-users to users. I think of the process as a sandglass. The increase of users is like the 
flow of sand from the top bulb to the bottom bulb. As to what happens in the sandglass, 
conflict and crash are inevitable. So it is between users: old users and old users, old users and 
new users, new users and new users and actually between old users and non-users, and new 
users and non-users, and so forth. If we consider these users are in different organizational 
forms, it will become more complex: individual users versus corporate users, and so forth. 

Users are not only the subjects in the maintenance of cyberspace order; they are among 
the potential victims of cybercrime. They may benefit from online activities, and at the same 
time, they may otherwise suffer losses when targeted by cybercriminals. The figure 
represents the growth of the online population, with a growth rate of 219.8 percent from 2000 
to 2007 (Internetworldstats.com, 2007), which is increasing by a surprising rate compared 
with population in the traditional society, which has a growth rate of 1.14 percent.” The 
citizens in the traditional society do not decrease as the netizens in the cyberspace increase. 
However, more and more people are obtaining the dual identity as both citizens in society and 
netizens in the cyberspace. The Internet penetration in the whole world has reached 17.6 
percent (Internetworldstats.com, 2007). In Europe, it is still higher, with a percentage of 
nearly forty (ibid.). Among them, the Nordic countries have a penetration beyond 60 percent 
(ibid.), being a regional pioneer in the world. 

The crime rate in cyberspace may be low at present. Suppose this rate constant, the 


absolute number of cybercrime, however, increases along with the growth of the population 





* CIA, The World Factbook, 15 March 2007. Retrieved 15 March 2007, from 
https://www.cia.gov/cia/publications/factbook/geos/xx.html 
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base of Internet users.“ Consequently, the number of Internet users is valuable in the 
calculation of the number and even the rate of cybercrime, in comparison with those figures 
in traditional society. 

On the other hand, given that cybercriminals are also among the Internet users, their 
growing number and their increasingly extensive geographical distribution indicate the 
difficulties in cyberspace regulation, cybercriminal detection, investigation, jurisdiction, 
identification, and conviction, and the costs and effectiveness in crime prevention. The 
Internet has been expanded to virtually all countries in the world. The Internet contents are 
using more and more kinds of languages, but with a relative concentration in some main 
languages, such as English, Chinese, Spanish, Japanese, German, French, Portuguese, Korean, 
Italian, and Arabic (Internetworldstats.com 2007). People understanding different languages 
will be more or less Internet-informed, but people who understand the main languages will be 
more Internet-informed. Therefore, the possible impact of online information on users who 
understand different languages differs. These numbers and ratios will be constructive in 
understanding the controllability of the Internet and thus the characteristics of cybercrime. 

The second indicator is the increase in the number of web sites, which represents the 
number of cyber actors, the quantity of cyber resources, the range of services that users can 
consume, and the number of places that the potential customers can visit. A Netcraft survey 
in July 2006 found that there were more than 88.2 million web sites on the Internet.“° From 
the increasing process of the Internet domain names worldwide, an accelerated ratio of 
increase can be discovered from the late 1990s. 

The primary function of web sites is to serve the Internet users’ needs of information 
resources. It is an important form of information publication, which acts as the counterpart to 
the traditional printed press. The growth of cyberspace population and the growth of web 
sites interact with each other. The users include publishers and readers, both of whom can 
exchange their status with each other. The growing number of web sites accommodates more 


users, while the growing number of users propels the development of web sites. It is possible 





“ Similarly, Parker and Nycum (1984, p. 314) estimated that the volume of computer crime would 
increase due to the growth in the number of computers. 

“’ Netcraft. July 2006 Web Server Survey, 28 June 2006. Retrieved 15 March 2007, from 
http://news.netcraft.com/archives/web_server_survey.html 
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that criminals will be destructive towards the web sites, and in turn, that the users’ interests 
will be damaged thereby. The web sites can also facilitate activities unsuitable for the 
participation of certain groups of people or the web sites may to publish content unsuitable 
for certain groups of people to retrieve. Lack of a unified conception concerning whether or 
not to monitor or censor the use of the Internet may leave this public forum in a status of 
anarchy and confusion. 

In addition, the location of web sites is not the equivalent to in the traditional sense. A 
web site may exist in several regions or countries simultaneously, including at least in the 
following possible places: 

The location of the web site registration, 

The location of the web site owner, 

The location of the web site server, 

The location of the content author, 

The location of the web site manager (webmaster), 

The location of the web site retriever, 

The location of where the language of the web site is mainly spoken by the native 
people, 

The location of where the web site can mainly be accessed, and where the web site can 
have an actual influence, etc. 

Determination of jurisdiction and harmonization of legislations are based significantly 
upon these different kinds of locations. The simultaneous involvement of many locations in a 
single act makes it difficult to select a certain location as the nexus for jurisdiction. The 
involvement of more locations during the process of information transmission and the 
complexity of tracing backward pose obstacles for determining the just location. Information 
systems become an information high sea full of information flow. 

The third indicator is the number of Internet hosts. An Internet host denotes a computer 
connected directly to the Internet; regularly, an Internet Service Provider (ISP)’s computer is 
a host. The number of hosts is an indicator for the Internet connectivity. As of July 2006, the 
number of Internet hosts reached 439 million (Internet System Consortium, ISC 2006). From 
the ISC (2006), the development of Internet hosts from 1969 to 2006 showed that the 
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development was relatively slow in the first two and a half decades, and began to accelerate 
from the mid-1990s. 

A significant aspect of cybersecurity is correlated with the accessibility to computers 
and networks. Occasionally, these computers and networks are the targets of cybercrime. In 
these cases, the damaged computers and networks become sources of losses suffered by users. 
As part of the hardware of the entire Internet, Internet hosts are also important reference 
factors when considering the prevention of cybercrimes. 

The fourth indicator is the number of web pages.*° As of 2007, the Google search 
engine collected 8 billion of web sites, indexed nearly 10 billion of distinct web pages, 
several billion of all types of images: photos, drawings, paintings, sketches, cartoons, posters, 
and more.*’ It is a complicated matter to correctly provide an accurate quantitative 
measurement of the growth rate of the Internet. The search engine and web site survey have 
been regarded as useful ways (Tehan 2002, p. 7). The increase of the number of web pages 
basically indicates that web-based information with positive value and with negative value is 
increasing simultaneously. The increase in web pages has had multiple influences on online 
users. The more the web pages are published, the easier the users can discover the appropriate 
contents, but the less successful the webmasters can maintain them. The faster the web pages 
are increasing, the more complicated the situation will be on the part of both webmasters and 
users in terms of obtaining information, maintaining the contents, and avoiding legal 
problems. 

The fifth indicator is bandwidth growth. Bandwidth measures the capability of the 
communications channel. Bandwidth growth facilitates more users and more convenient 
online activities. The lowered cost and enhanced quality of services attract people of various 
ages, different income levels and educational background to join the online community. A 
longer online time also becomes possible. Therefore, bandwidth growth directly influences 


the number of online users, the length of online time, and the categories of online activities. 





“6 “A web page is a computer data file that can include names, words, messages, pictures, sounds, and 
links to other information.” See Panavision Intl. v. Toeppen, Ninth Circuit No. 97-55467, D. C. No. 
CV-96-03284-DDP, 17 April 1998. 

“7 See Google.com’s self-description (Chinese version. There may be no such description in versions 
of other languages), Retrieved 15 March 2007, from 
http://www. google.com/intl/zh-CN/options/index.html 


90 


The sixth indicator is the growth of scale of e-commerce. UN (1997) noted that “an 
increasing number of transactions in international trade are carried out by means of electronic 
data interchanges and other means of communication, commonly referred to as ‘electronic 
commerce’, which involve the use of alternatives to paper-based methods of communications 


and storage of information.” “ 


Although e-commerce is different from those 
above-mentioned factors that are directly related to the scale of the Internet, to some extent, 
nevertheless, we can quantify how many commercial opportunities and interests rely on 
cybersecurity. That is to say, any cybercrimes that shake the foundation of the Internet will 
have influences on e-commerce. Direct or indirect, tangible or intangible,” pecuniary or 
non-pecuniary losses can be caused by various kinds of cybercrimes. Therefore, a brief 
introduction to the growth of e-commerce is not meaningless. At least, in considering the 
cybersecurity investment and the cybersecurity financing, the scale of e-commerce can be a 
valuable parameter for making such estimate. 

In fact, in the U. S. alone, five years after the introduction of the WWW, the size of 
Internet economy can compete with traditional sectors, such as energy, automobiles, and 
telecommunications (Centre for Research in Electronic Commerce 1999, p. 8). The Internet 
economy also rewrote the history of the employment market (Ibid, p. 9). 

Integrity and reliability of information are important for e-commerce.” Along with the 
development of e-commerce, criminals are also transmitting their activities online. The 
increasing dependence of business on information systems is gradually changing the global 
social-economic scenario. 

In fact, besides e-commerce, many other industries more or less depend on information 
systems. More people, more assets, and more activities continue to go online, the efficiency 
of social actions reaches an unparalleled degree on the one hand, the over-dependence on 


information systems also brings about new risks that society would never have met without 





“8 UN General Assembly Resolution A/RES/51/162 (30 January 1997). 

“” Concerning costs of crime, see Levinson (2002), pp. 336-343, particularly, direct and indirect, 
tangible and intangible losses of general crime, see Levinson (2002), p. 338. 

°° This kind of recognition makes it imperative for international legal instruments to coordinate 
position of different countries, for example, Annex to UN General Assembly Resolution 
A/RES/51/162 (30 January 1997), the Model Law on Electronic Commerce of the United Nations on 
International Trade Law, Article 8. 


91 


the systems on the other hand. It is unnecessary to overemphasize the catastrophic effect of 
the possible interruption of information systems. However, we should bear in mind that the 
increasing dependence on information systems would cause more and larger risks for the 
society. Social disorganization is usually associated with social change, particularly, 
innovation (Mowrer 1942, p. 32). The information society has the tendency of disorganizing 
in a more informed way. 

The society is transiting from the process of urbanization to cyberization. An 
information supercontinent is taking shape. The increasing significance of the Internet for 
society and the accumulated threats of abuse deserve universal attention. 

The following sections will analyse the basic properties of networked information 


systems and their primary impacts on the maintenance of social order. 


3.2 The uncontrollability of networked activities 


Comparison is the core of wisdom. Knowledge about traditional society has been 
accumulated for centuries and it is known either through common sense or as technical 
strategies. Our knowledge about information systems and social control on the background of 
the pervasive information systems is to be acquired through comparative study, extending 
from the old to the new. What we observe, describe and explore about the information 
society depends heavily on what we did about traditional society.*! 

ICT facilitates free and, frequently, a trans-territorial flow of information. The security 
of information systems has also been a topic discussed in many literatures from very early 
years. For example, Bequai (1983, pp. 192-222), and Icove and co-workers (1995) covered a 
wide range of issues connected with computer security. It requires a special forum to provide 
an answer to the question of whether it is technically, morally, or legally suitable for the 
Internet to be managed, regulated, or controlled. But a fundamental conclusion is that the 
security of information systems is only relative. Absolute cybersecurity did not in the past, 


does not in the present, and will not in the future, exist. Alexander Hellemans (1999) reported 





>! For the value of comparison in social sciences, see Gerring (2005), pp. 157-159. 
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that, using a complicated algorithm and software, scientists broke the RSA-155 code, which 
is a popular means for protecting secret information on the Internet in Europe, even though it 
is an issue for researchers to spend 5 months on 300 PCs and a Cray 916 supercomputer (p. 
1472). 

In this section, I merely explore the difficulties in exercising control over the Internet. 
Controllability permits management to exercise a directing or restraining influence over its 
use, behaviour, and content (Fisher 1984, p. 24). Controllability of the Internet has a direct 
influence on cybersecurity. The concept of uncontrollability originates from the vulnerability 
of ICT acknowledged by the pre-Internet writers. Bequai (1978, pp. 9-17), for instance, 
divided the operation of the system into five stages (input, programming, Central Processing 
Unit, output and communication process) and asserted that each of these stages is vulnerable 
to attacks by the perpetrators. Bequai (1983, pp. 4-7) raised four reasons why computer 
technology is vulnerable: (1) it is vulnerable to abuse, particularly physical attacks and 
embezzlement; (2) it provides opportunities for various kinds of thefts; (3) it threatens every 
user with the development of human dependence on the machine; and (4) it functions in a 
“corrupt environment” where white-collar crime prevails.°* He concluded that “crimes by 
computer can be easy” (Bequai 1983, pp. 16-26). 

Nevertheless, Kollock and Smith (1999, pp. 3-28) studied “the landscape of cyberspace’, 
and presented a constructive analysis of the social order in the Internet environment. In the 
following paragraphs, the ideas of both Bequai and Kollock and Smith will be explored. 

By turning to the vulnerabilities of information systems, I am not going to pretend that I 
am witnessing information society in a completely pessimistic way. Rather, this background 
presentation serves just the purpose of writing about crime. Before beginning the discussion 
about the damage caused by the uncontrollability of information systems, I would like to 


recall that sometimes vulnerability is useful for some persons and some institutions of good 





°° White-collar crime is a term coined by the American criminologist Edwin Sutherland in 1939. He 
defined it as “a crime committed by persons of respectability and high social status in the course of his 
occupation.” (Sutherland 1949, p. 9) Sutherland made efforts at reshaping the picture of criminals 
from the traditional conceptions of depicting them as uneducated, unemployed, dissatisfied in 
economic needs and violent so as to include also the educated, the employed, and those enjoying a 
social recognition for their contribution to society. 
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will at some time and under some circumstances.”™* 
This section will emphasize and expand the analysis of the security problems usually 
involved in major Internet services. The characteristics of Internet services with special 


regard to controllability can be summarized in the following nine respects. 


3.2.1 The universal accessibility of the Internet 


Universal access to the networked information systems can have both positive and 
negative roles in terms of social development and social control. Positive, because the society 
is networked and the networks are available to more and more members of society. Negative, 
because the traditional social networks have been replaced and the members are moving to 
and constructing new networks. The impotence of the old order and the absence of the new 
order will create an integration vacuum, to be expressed in the form of anarchy and chaos, for 
a process of disintegration and disorganization can be anticipated during this transformation 
(see Mowrer 1942; Elliot and Merrill 1961). 

Since the removal in the 1990s of access constraints on the Internet for commercial use, 
the premises in which Internet access service is available have been rapidly extended. Besides 
regular users in schools and companies, cyber cafés** and homes also facilitate the access of a 
significant number of users. In some countries, the management of cyber cafés forms the main 
path to cybersecurity. Cyber café has become the paradise of school-aged juveniles who play 


truant. Many problematic youths spend a long time in cyber cafés chatting, gaming, gambling, 





3 For example, in United States v. Jarrett (Fourth Circuit No. 02-4953, 3 June 2003), the key evidence 
of the cases (concerning child pornography) was provided via e-mail to the law enforcement by an 
unknown hacker, who used a Trojan Horse programme attached to a picture and succeeded in 
accessing to the perpetrator's computer upon his downloading the picture. In United States v. Steiger 
(the Eleventh Circuit No. 01-15788, 01-16100 and 01-16269, 14 January 2003), an unknown hacker 
reported his findings, upon access to the perpetrator's computer with the help of Trojan Horse 
programme attached to a fake programme, of a crime clue to the police. Interestingly, both unknown 
hackers were from Turkey, but never appeared in court. 

* The concept of cyber café possibly originated in the U. S. in early 1990 (Steward 2000). It is a place 
where Internet access is provided as the primary service. The adjunct services may include sales of 
various drinks, foods, and other goods. In some countries, the cyber cafés were the main places where 
people could access the Internet during the earlier days of network development. The current cyber 
cafés are still playing a critical role in providing Internet access in towns and cities with a great mobile 
population. 
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and entertaining. The cyber café is a place devoid of supervision and restraint as far as both 
private and public sectors are concerned. Neither families nor educational institutions can 
exercise control over activities in cyber cafés. In addition, the owners of cyber cafés are 
usually motivated by profits and do not care about the users’ activities. For instance, many 
cyber cafés in cities and towns are opened unlicensed due to the failure to meet the 
requirements of the fire codes.*° Besides the physical security and Internet addiction, the 
cyber cafés also involve cybersecurity concerns. Hackers®® and gangsters are increasingly 
crowding to the Internet, the cyber cafés being a paradise for them. According to the National 
Police Agency of Japan, more than half of computer crimes in 2005 were committed by using 
computer in cyber cafés. An increasing number of Japanese in their twenties and thirties, as 
well as many homeless people, select cyber cafés, which offer a “bed and Internet” package, 
as their home.” 

It is not difficult to comprehend that some Asian countries have outlawed unlicensed 
cyber cafés. A measure of this kind matches crime prevention and crime control in other 
countries with a different political situation and cultural background. People from countries 


without the “cyber-café syndrome” definitely cannot approve such crime prevention measures, 





°° Lu, L. Online Survivors in China, 13-20 April 2006, Beijing Review. 

°° The term "hacker" has so many different meanings when it denotes different groups of people that 
we cannot give an accurate definition (Thomas 2002, p. 3). The original meaning of the term "hacker" 
denotes those who enjoy “making computers do new things, or do old things in a new and clever way. 
The hacker is usually quite good at his craft, but may very well not be a professional computer 
programmer or designer. The hacker's work may be useful or may be just a game.” (Warren 2003, p. 
XIV). 

However, the current understandings of the public about hackers can be classified into three 
primary categories: the altruist hacker, the neutral hacker, and the malicious hacker. The good hacker 
is a hacker who tries to find loopholes in the information system and fix them, without intruding into 
the others’ system. The neutral hacker may be described as a person who cares more about his own 
technological achievements but not others’ welfare and security. The malicious hacker is one who 
attempts to practise unauthorized access to the others’ systems. Today, the most common use of this 
term has almost become an equivalent to computer criminal or perpetrator, a person who attempts to 
obtain unauthorized remote access to a computer system. See Daintith (2004), p. 235. 

Taylor (1997) pointed out that “...despite the media portrayal, hacking is not, and never has been, 
a simple case of ‘electronic vandals’ versus the good guys: the truth is much more complex. The 
boundaries between hacking, the security industry and academia, for example, are often relatively 
fluid. In addition, hacking has significance outside of its immediate environment: the disputes that 
surround it symbolize society's attempts to shape the values of the informational environments we will 
inhabit tomorrow.” See message dated: 18 June 1997, From: P. A. Taylor@sociology.salford.ac.uk, 
Subject: File 1--Paul Taylor's Forthcoming "Hacker" Book. 
°7 Konstantin Kornakov, Cyber Café —or the Scene of Cybercrime, 5 March 2007. Retrieved 15 March 
2007, from http://www. viruslist.com/en/news?id=208274049. 
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and usually protest against governmental actions that shut down cyber cafés. Such protests 
raise the issue of closing down these premises to the level of a human-rights question. It is 
then maintained that closure means a threat to information access and freedom of expression. 
Such a standpoint ignores security and crime concerns. Issues of rights and of crime are 
always interrelated. It is worth noting that in most European countries, thanks to better living 
standards, educational and other conditions for the development of a broad bandwidth, the 
cyber cafés are less developed. The full extent of the issue is thus neglected. 

Universal accessibility does not mean that there are no different patterns of usage. People 
of different ages may spend a different length of time online in carrying out their different 
goals. People of different gender may exchange different information inside and outside their 
groups. People in countries in different developing stages may have a different Internet 
penetration ratio. People are all born equal, but equality of access to information has not been 
achieved, and equality does not mean sameness. Some people do not want any more 
information. The impact of information systems on different individuals, groups, 
organizations and agencies is, therefore, one of different styles: beneficial or harmful, positive 


or negative. 


3.2.2 The invisibility of cyberspace 


Conventional countermeasures and theories about crime prevention were based on its 
material influence and on the material environment, although non-material factors have long 
existed, too. Activities in information systems can be expressed in a physically invisible form. 
What are physically visible in information systems are those physical existences, such as 
hosts and terminals, displayers, keyboards, mouse, and cables, while the mechanisms by 
which the computers function are invisible. Cyberspace is developed from information 
systems as an abstract space, differing from the material devices of information systems that 
include terminals and cables.** It is invisible and intangible if compared with traditional 


space (Khosrow-Pour 1998, p. 440; Robertson 2000, p. 248; Dodge and Kitchin 2001, p. 81). 





* See description in Gibson (1984), etc. 
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When a web page is surfed, what can be seen is only the display of information on the screen. 
The web site is not physically a reading room where people can read magazines, newspapers 
and books, listen to audio records or watch videos, nor a marketplace, bank, street, or forum. 
It is merely a collection of web pages written in various mark-up languages, comprised of 
letters, numbers, and symbols in common use, but which facilitate the functions of linkage to 
other media, communicating with other people or directing to other services. The electronic 
address is not necessarily located along a street, in a building or even in a city, province, or 
country. In addition, the online services are usually provided in the manner of a remote 
transaction paid by means of digital cash or virtual money. Finally, the Internet users include 
individuals and institutions, but they do not necessarily appear in person or in an entity in a 
traditional library, forum, marketplace, bank, or along a street. It is entirely an invisible 


community in an invisible space. 


3.2.3 The low controllability of the process 


Since the early days of the computer and the Internet, efforts have not been lacking to 
control the system. Theoretically, the Internet can be controlled; however, actual and perfect 
control is unattainable. Thus, it is reasonable to say that the Internet can be controlled by any 
of the users if there is anyone trying to exercise control over part of it; but it cannot be 
controlled by any of the users if they want to exercise absolute control over the whole system. 
The low controllability by one means, on the other hand, the high possibility of control by 
many others. The low controllability by authorized users means the high possibility of control 
by unauthorized uses. 

According to Kollock and Smith (1999, pp. 3-28), the Internet services have a very low 
controllability, even though it does not in my opinion greatly affect the social order (see 
Section 3.2). They explained the mechanisms of e-mail, Usenet, and WWW, which are the 
commonest means of communications and information exchange between online users. Both 
free and paid services are available online on an immense scale. E-mail lists, Usenet, and 
WWW < are used to distribute messages simultaneously to all the subscribers of the lists or 
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Usenet, or published for public access. To some extent, owners, administrators or servers of 
e-mail lists, Usenet and WWW have a certain degree of controllability when owners decide 
publish or refuse the messages. However, the openness of most e-mail lists, Usenet and even 
WWW enables users from everywhere to publish messages. To review a substantial quantity 
of messages requires considerable time and labour. What makes it a challenging social space 
is that any online users can write, publish, retrieve and save the contents, meaning that they 
expose themselves to anonymous users and trans-territorial users (see Kollock and Smith 
1999, pp. 3-28). 

Kehoe (1993) has discussed the situation of Usenet. He has claimed that the Usenet is 
not an organization, devoid of central authority; not a democracy, because democracy also 
requires organization; not fair, because unfair things will be discontinued by no one; nor a 
public utility, because of little or no control (pp. 36-38). Kindon (1994) concluded that the 
Usenet control ends at the newsgroup level” rather than at the individual level. Messages 
can be distributed among thousands of computers worldwide, and the establishment of 
jurisdiction over disputes and offences is impossible. 

Controllability of online instant messages is yet lower than the above-mentioned 
services. During the instant communication, the sending and receiving of the messages 
happen in a nearly synchronous manner. If these messages contain offensive contents, or 
hyper links to an offensive web page, there is no sure way of providing prearranged measures 
for precluding them. There do exist certain kinds of filtering and blocking mechanisms, but it 
is still a problematic matter whether these mechanisms are effective in passing and blocking 
the exact messages. While the filtering mechanisms are based upon logic coding under the 
hypothesis of rational human activity, the ways in which filtering and blocking programmes 
can be rendered invalid are simple and multiple. For example, the substitution of letters by 
similar numbers or symbols, or use of icons as words and phrases, is a method that is easy to 
use but difficult to filter. 


Even if it is merely an individual e-mail, it is still confronted with uncontrollable threats. 





°° “Newsgroup is an Internet discussion group that focuses on a particular topic. Users of the 
newsgroup share messages and can download files; including images...there are automated processes, 
such as news servers, allowing individuals to automatically receive files on a particular subject.” 
(United States v. Slanian) 
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Kelly (2002) has mentioned the three primary aspects, that is, the loss of the confidentiality 
of e-mailed information, the distortablity and misinterpretation of content and the possible 
liability of an institution for the message as a publication. 

The above analysis enables us to draw the natural conclusion that the control over the 
process of the Internet services is theoretically possible but practically unfeasible. The 
impossibility of control over the Internet immunizes individuals and institutions from any 
liability for the omission of such a control. Under these circumstances, neither an ex ante 
obligation nor an ex post liability can be adhered to as far as related individuals and 


institutions are concerned. Thus the incentive for control will hardly be strong. 


3.2.4 The disputability of content and activities 


The old and new diversity between cultures, societies and laws has not necessarily been 
diminished by the common networks of information systems. On the contrary, universal 
information systems bring in a diversity from offline to online, and bring about a diversity 
between offline and online. For example, we see that while there are different versions of 
religious classics on the networks, there are also different versions of political works online. 
People have the equivalent chance to read various versions of holy books. If they are to 
establish a belief different from their previous ones, they are equally likely to be influenced 
by this version or that version. Thus, from the viewpoint that information systems form a 
space accommodating different cultures and ethnicities, we cannot expect too much of them, 
because they have the power both to create and to some extent eliminate diversities. The 
connection of the Internet to current legal frameworks, including restrictions on displaying 
unfeasible materials, the protection of privacy, and the limits of permitted business all 
become the subject-matter of major legal argument.” This has become a well-established 
conclusion. 

The capacity of an uncomplicated publishing process makes the web pages an important 


media for businesses and individuals wishing to convey information to almost as many 





® Citron and Toronto Mayor's Committee v. Zundel, 2002 CanLII 23557 (C.H.R.T.). 
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people as possible (Williams 2001). Every online user is able to contribute to certain kinds of 
publications: scholars shift their academic journals to inexpensive and easy-spreading digital 
versions; students put their essays on the bulletin-board system; and dissidents establish web 
sites to publish statements against the political authorities. In addition to technological 
problems, online content also involve two aspects of legal problems: the protection of free 
speech in some countries and the prohibition of offensive speech in some other countries. 
Freedom of speech or freedom of opinion and expression is provided as basic human rights in 
international agreements and domestic constitutions.°' For example, Section 12 (1) of 
Constitution of Republic of Finland prescribes that: 

“Everyone has the freedom of expression. Freedom of expression entails the right to 
express, disseminate and receive information, opinions and other communications without 
prior prevention by anyone. More detailed provisions on the exercise of the freedom of 
expression are laid down by an Act. Provisions on restrictions relating to pictorial 
programmes that are necessary for the protection of children may be laid down by an Act.” 

Many other countries have similar clauses in their constitutions. Although the literal 
wording in the constitutions may be similar, the judgment standards of free speech are 
different. What is visible is only the wording of the clauses, but what is invisible is their legal 
spirit. In some countries, the law of free speech protects online messages, and refusal of 
publication requests and deletion of published messages may bring about legal disputes. In 
some other countries, these messages may be legally or religiously offensive. Even within 
one country, there is also the possibility that the courts rest on positions different from each 


other or different from the relevant legislation. For example, in Reno v. American Civil 





°! In The Universal Declaration of Human Rights 1948, Article 19 prescribed that “Everyone has the 
right of freedom of opinion and expression; this right includes freedom to hold opinions without 
interference and to seek, receive, and impart information and ideas through any media and regulations 
of frontiers.” 

Other primary international agreements including freedom of opinion and expression are The 
International Covenant on Civil and Political Rights, Articles 19 and 20; The International Convention 
on the Elimination of All Forms of Racial Discrimination, Articles 4 and 5; The American Convention 
on Human Rights, Article 13; The African Charter on Human and People’s Rights, Article 9; The 
European Convention on Human Rights, Article 10; The European Convention on Human Rights, 
Article 10, etc. For more information, see Lawson (ed. 1996). 
© Constitution of Republic of Finland (731/1999), Section 12 (1). See FINLEX, an unofficial 
translation. Retrieved 15 March 2007, from http://www.finlex.fi/pdf/saadkaan/E9990731.PDF. 
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Liberties Union,” the court struck down a federal provision prohibiting the ending or 
displaying of obviously disgusting material in a style available to anyone less than eighteen 
years of age. The court ruled that the prohibition violated the First Amendment.™ In Ashcroft 
v. Free Speech Coalition et al.,© the Supreme Court of the U. S. upheld the Child 
Pornography Prevention Act of 1996 (CPPA), which expands the federal prohibition on child 
pornography to both pornographic images made using actual children and “virtual child 
pornography.” 

These factors determine that controllability of the Internet, the legal foundation of 
control, the willingness to control, and actual control over the Internet are conditionally 
dependent. Under such circumstances, it is not groundless for technological supremacists to 
suppose that the Internet lists will assist in the realization of their anarchist ideal. 

For example, with the help of the Internet, the pornographic economy has developed on 
a great scale. It is true that obscene texts, graphics, and audio and video files have a different 
status in different cultural contexts. They may be legal for all people. They may also be 
illegal for all people. However, in most cases, they are legal for adults, but illegal for 
juveniles. In addition, the content of obscene files does not matter: description or illustration 
of children often render the whole file illegal, because this is regarded as sexually exploiting 
children. In any case, if the file is illegal, acts with the intent to create, record, possess, 
present, publish, replicate, disseminate, trade, advertise and so forth are all illegal. Even 
collecting and enjoying them by oneself will be punished. According to the Penal Law of 
Finland, dissemination of the depiction of obscenity, possession of obscene pictures of 
children and unlawful marketing of obscene material are all criminalized.®° However, that 
the incentive of benefiting from the commercial transaction of pornography motivates the 
Internet content providers or Internet users means that it is difficult to control the Internet 


content. 





63 Reno v. American Civil Liberties Union (Supreme Court No. 96-511, 26 June 1997). 

* Fallon (2004), p. 53. The First Amendment was implemented in 1791 prescribed that “Congress 
shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or 
abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and 
to petition the Government for a redress of grievances.” 

Ashcroft v. Free Speech Coalition, 535 U.S. 234 (2002), Docket No. 00-795 - April 16 2002. 

Penal Code of Finland, Chapter 17, Sections 18-20 (563/1998). 
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In addition to the fact that the digital form of traditional verbal, written, printed, audio as 
well as video content inherits these above-mentioned traditional prohibitions, the Internet 
further inherits the problem enforcing the illegal nature of some activities, such as gambling, 
along with the trade in some materials, such as drugs, philtres, and weapons. Some of these 
fields are in dispute. The most controversial issue may be the criminalizing or legalizing of 
gambling and marijuana. The momentousness of these topics in contemporary society has 
attracted the attention of multitudinous studies and research. Now, despite their legal status in 
different countries, exchange of information about these activities and materials, transaction 
and payment, necessary offline delivery of goods, and possible internationally prohibited 
money transfer in some areas, may create unsolvable problems for control over the Internet. 

Information systems can accommodate contents of different value-orientation and 
activities of a differing legal nature, usually creating controversies among the various 
jurisdictions. As a result, the authorities in the country where the content or activities are 
legal cannot provide sufficient protection for people who publicize legitimate speech or carry 
out legitimate activities, and cannot prohibit infringements and impose sanctions on people 
who infringe these legal rights. Similarly, authorities in a country where the contents or 
activities are illegal cannot impose sanctions on people who breach the proscription, and 
cannot protect people who obstruct the illegal contents or activities from wrong prosecution 
by a country where people adopt contrary standpoints to the legal nature of these contents or 
activities. In Europe, this dispute exists in the respect of speech concerning the identification 
of several historical incidents, such as the genocide of certain races, denial of which may 
induce criminal prosecution in countries including Austria, Belgium, the Czech Republic, 
France, Germany, Italy, Lithuania, the Netherlands, Poland, Romania, Slovakia, and 
Switzerland. Denial of the historical occurrence of genocide is also punishable in Israel.” In 
spite of some international conventions, the problems of this paragraph are not in practice 


more easily dealt with than the problems of the proceeding paragraph. 





— Wikipedia, Holocaust Denial. Retrieved 15 March 2007, from 
http://www. wikipedia.org/wiki/Holocaust_denial 
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3.2.5 The divisibility of digital files 


Division is a threat to most forms of life and most forms of existence. However, at the 
same time, division means life and the existence of digitalized information. Digital files exist 
in information systems and are transmitted through the networks in particular forms. Erol 
(1992) described it as a process of “moving bits from one place to another” (p. 19). In 
transmitting processes, a file is regularly broken into many packets™ conveyed along the 
networks in different jurisdictions. For example, if a European user sends a message from his 
or her room to the neighbouring room, the message may be divided into several packets. 
When they are transmitted from one room to another through the Internet, there is the 
possibility that all packets are transmitted directly through local networks and arrive at the 
destination. Nevertheless, there exists, too, the possibility that certain packets transmitted to 
North America, and then to Africa, or Asia at last arrive in the neighbouring room. It is a 
frequent phenomenon for a single e-mail message to traverse countries in different continents. 
If every country attempts to exercise jurisdiction, the process can become exceedingly 
complex and unmanageable. Plainly put, it may occur that one particular country may simply 
be crossed by certain packets. 

Most of the Internet services involve some kinds of file transmission. For example, 
contents of e-mail, Usenet, chat room, and web page are generally transmitted as files and 
divided into packets during the process. Different packets may be transmitted via different 
routes and different jurisdictions. Even though in reality information is not divided as 
extremely as we imagine, the possible gap and overlap of legislations have still become a 


major problem. 


3.2.6 The low confidentiality of information systems 


Protected data in information systems should be “obtained and processed fairly and 





°° A packet means “‘a quantity of information that is sent as a single unit from one computer to another 
on a network or on the Internet.” See Summers (2003), p. 1184. 
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lawfully.” Technical and organizational measures should be taken to protect personal data 
against access without authorization, manipulation, disclosure, transfer and other processing 
without legal reason.” Besides general protection of personal data, sensitive personal data 


are granted special protection by law.”' Exceptions are derogations, ”” 


which are prohibited 
to process. ”° 

Information systems are usually analogous to a place with unrestricted freedom and 
where the information is less confidential. Weak technical control and weak human control 
are the main factors that expose the weakness of the systems. The most obvious example is 
e-mail. The technical mechanisms demonstrate that e-mail has exceptionally low 
confidentiality, and is more vulnerable to disclosure than traditional letters. Without 
encryption, every document sent by e-mail is publicly accessible, and system administrators 
can easily view every outgoing and incoming e-mail without any preceding authorization 
(Sikorski and Peters 1999, p. 348). Kelly (2002) mentioned that the confidentiality of 
e-mailed information can be lost in such cases as when it is intercepted, when it is sent to a 
wrong address, or when it is read by an unauthorized or unintended person. 

In addition to less prepared gaze, Rogers (2001) worried that the governmental agencies, 
business organizations and other individuals are usually motivated to abuse their powers and 
rights to infringe e-mail privacy. The secrecy of individual interaction in sending and 
receiving e-mails online is easily destroyed, because of being unencrypted. It is possible for 
hackers to tamper with the e-mail, or for the Internet service providers (ISPs) to check the 
packets, resulting in loss of users’ e-mails and disclosure of individual privacy or business 
secrets. This is no different from clandestinely opening other people’s letters, encroaching 


upon other people’s correspondence secret (Wang 2001, p. 154). 





®° Council of Europe Convention for the Protection of Individuals with Regard to Automatic 
Processing of Personal Data, Article 5; Directive 95/46/EC, Article 1 (a). 

” Convention Article 7; Finnish Personal Data Act 523/1999, Section 32 (1). 

7 According to Finnish Personal Data Act 523/1999, Section 11, sensitive data include data relating to 
or are intended to relate to the following aspects: “(1) race or ethnic origin; (2) the social, political or 
religious affiliation or trade-union membership of a person; (3) a criminal act, punishment or other 
criminal sanction; (4) the state of health, illness or handicap of a person or the treatment or other 
comparable measures directed at the person; (5) the sexual preferences or sex life of a person, or (6) 
the social welfare needs of a person or the benefits, support or other social welfare assistance received 
by the person.” 

” Finnish Personal Data Act, Section 12. 

” ibid, Section 11. 
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Computer processing enables “interceptions to be multiplied a hundredfold and to be 


analysed in shorter and shorter time spans.””* 


The interception of electronic correspondence 
has been legalized under different conditions in many countries. For example, according to 
the U. S. Electronic Communication Privacy Act (ECPA),”” ISP may supervise or intercept 
e-mail information for normal commercial goals and in order to protect property or related 
right. In addition, in the workplace, it is deemed that the employees have no privacy in 
company computers. ° Apart from legally authorized interception, infringement of privacy 
also poses a great concern. 

In fact, many court decisions in the U. S. have rejected the expectation of workplace 
privacy. At workplace, employers and governments provide information systems for 
work-related use only. Law and policy limit any use for non-work functions. The logic is that 
the use of information systems for non-work purposes is a breach of law and policy and 
deemed misconduct; then, the search into the personal use of these systems does not breach 
the privacy rights of their employees.”” 

The mobile networks are as vulnerable as the traditional computer networks. Security 
loopholes usually threaten individual rights and state security. According to the Finnish 
government news, a serious data security problem has been discovered in the Finnish 
Ministry of the Interior. With this kind of problem, it became possible to listen to the mobile 
phone calls of thousands of employees without authorization. Consequently, the Ministry had 
to inform the employees not to use mobile phones for confidential aims. The problem 
concerns employees in the police and rescue forces, emergency services, the Border Guard, 


the Directorate of Immigration, the Population Register Centre, and employees within the 





™ Malone v. The United Kingdom - 8691/79 [1984] ECHR 10 (2 August 1984). 

= 1818.6. §§ 2510-2522; and 18 U.S.C. §§ 2701-2711. The Act amended Title III of the Omnibus 
Crime Control and Safe Streets Act of 1968 (the Wire Tap Statute). 

7° For example, in United States v. Ziegler (No. 05-30177 D. C. No. CR-03-00008-RFC ORDER 
AND OPINION, 6 March 2007), the government argued that: 

“Society could not deem objectively reasonable that privacy interest where an employee uses a 
computer paid for by the company; Internet access paid for by the company, in the company office 
where the company pays the rent...This is certainly even more so true where the company has 
installed a firewall and a whole department of people whose job it was to monitor their employees’ 
Internet activity.” (p. 1087) 
™ See United States v. Wesley George Thorn, No. 03-3615, Federal Circuits, Eighth Circuit (July 13, 
2004); United States v. Angevine, 281 F.3d 1130, 1134-35 (10th Cir.); United States v. Simons, 206 
F.3d 392, 398 (4th Cir. 2000), etc. 
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Ministry of the Interior itself.” 


3.2.7 Anonymity 


The disappearance of physicality in activities on the Internet symbolizes the new way 
for daily routines, and presents a chance for new practice and changes in faiths, positions, and 
manners (Zigrus 2001, p. 171). To a certain extent, Internet services are provided for every 
user who owns a computer and a modem or cable linked to the server. The real identity of the 
user is not necessary for using the Internet. That is to say, a high degree of anonymity is 
achievable. Anonymity could indicate an intention to lie or not, to do something deceit or not. 
In the environment of online communications, particularly during interaction between remote 
strangers, information systems provide the possibility of maintaining anonymity, and we 
found that the users of information systems have the willingness to stay passively anonymous, 
not necessarily actively lying to their counterparts. 

In the case of e-mail, it is uncomplicated to register an e-mail account with false 
information, or to send messages in the name of a certain person. These e-mails may not only 
infringe the legal rights and interests of the person of the counterfeited identity, but also are 
able to fabricate a rumour, slander other people, harm other people’s reputation, or practise 
unfair competition to reduce the competitor’s trustworthiness. No obligation of free e-mail 
service providers has been established to investigate the registrants’ identity information. In 
addition, some web sites also provide anonymous e-mail services or sell anonymous e-mail 
software.’”” Under such circumstances, the traceback of the real sender is impossible. Only 
where the providers’ status is clear, under vicarious liability, can it be useful for law 
enforcement in some jurisdictions to hold the re-publisher responsible for the content of the 
original author (Edwards and Walde, eds. 1997, Part 4). 


E-mail has frequently been abused in an anonymous way so as to realize a fraudulent 





78 Finland Government News, Data Security problems in Ministry Mobile Phones, 15 February 2006. 
Retrieved 15 March 2007, from http://e.finland.fi/netcomm/news/showarticle.asp?intNWSAID=47840 
™ Examples of such services and software can be searched out with search engines. 
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scheme. This anonymity not only facilitates a lie, but may also support a fraud. An actual 
case may illustrate this better. For example, in an advance-fee fraud message, the sender 
fabricated a series of facts in order to gain the trust of the recipient, while keeping his or her 
genuine identity unknown: 

1. The sender pretended to be Mr. Harrison Compaore, the manager of bill and exchange 
at the foreign remittance department of the Bank of Africa, located in Festac Town, Lagos 
State, Nigeria, West Africa; 

2. "He" claimed that they found an abandoned sum of 39.5 million US dollars in the 
account of a foreign customer, Mr. Andreas Schranner, from Munich, Germany, who died in a 
plane crash in July 2000; 

3. “He” provided an accessible Internet hyperlink to the BBC story about the crash; 

4. “He” sought assistance to transfer this sum of money and appropriate it; 

5. “He” offered 30 percent of reward for providing a foreign account; 

6. “He” asked for the recipient’s private telephone and fax number; 

7. “He” asked the recipient to trust him, and to maintain the strictest confidence in the 
transaction. 

In a real case, R. v. Mastronardi,®° the accused, met the plaintiffs through an Internet 
dating service, during which the accused misrepresented himself as a single person and 
engaged in relationship with several victims. He represented himself as: 

“(a) coming from a large, powerful and wealthy Sicilian family; 

(b) being a widower seeking a wife; 

(c) being a medical doctor with a specialty in gynaecology; 

(d) having hospital privileges and a clinic; 

(e) being a kind, caring and considerate person with positive family and moral beliefs, 
conveyed in conversations that went on for hours on end; 

(f) having elaborate and sometimes bizarre family and cultural traditions requiring 
highly submissive wives and amalgamation of finances to an account controlled by him; 

(g) as time went on, being third in command in mafia like family organization; 


(h) not wanting to date, but wanting to immediately enter into an intimate relationship, 





8° 2006 BCSC 1681. 
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after which his culture and family regarded them as married; 

(1) once so married, his family required him to follow family and cultural traditions.” 
(paragraph 4) 

In R. v. Farkas, the accused engaged in online fraud by using different e-mail addresses, 
mailing addresses, and user names, victimizing sellers and purchasers distributed in the U. S., 
Canada, and England.*! In R. v. Reynolds & Ors, the accused engaged in online chat 
claiming himself to be a 16-year-old boy, attempting to make young girls expose their bodies 
and transmit photographs to him over the Internet.*” 

There are many ways by which people make efforts to detect lies, usually including 
various clues to emotion that may disclose the situation of lying (Ekman 1992, as cited in 
Howitt 2002, pp. 251-253). However, in the electronic lie, none of the clues can be useful, 
particularly those emotional ones, because there is no face-to-face interaction. Rather, the 
interaction itself is covered by a human-machine-human fig leaf. 

Another field where people usually maintain anonymity is interaction in chat rooms. 
Accounting for a considerable fraction of the income of the commercial online providers, 
chat systems support synchronous communication, discussion on different topics, 
trans-territorial relationships on common interests, and ignorance of social status (Internet 
Crime Forum IRC subgroup 2001, pp. 7-9; Rowland 1998; Wilbur 1997, p. 5.). The biggest 
advantage of the interaction in chat rooms is that the user can keep anonymous at the 
beginning of the chat or remain anonymous during the whole process. Keeping anonymous 
means that people are able to fabricate identities that cannot be used to identify them. By 
disguising themselves, users can perpetrate fraud and many other related activities. This 
approach is definitely useful, too, in detection and investigation of crimes, where law 


enforcement uses falsified identity to allure and arrest suspects.*° The actual reality is that, in 





§! 2006 ONCJ 121, 10 April 2006. 

8° [2007] EWCA Crim 538 (08 March 2007). 

83 Ror example, in United States v. Helder (Eighth Circuit, No. 05-3387, 16 March 2006), an 
undercover officer used a screen name and claimed to be a 14-year-old girl to entrap the perpetrator 
(pp. 2-4); in United States v. Baker (Seventh Circuit, No. 05-2499, 24 January 2006), an undercover 
officer used a screen name and claimed to be a 14-year-old boy to entrap the perpetrator (pp. 2-3); in 
United States v. Antelope (Ninth Circuit No. 03-30557, 8 June, 2004. Docket num. 03-30334, January 
2005), the accused joined an Internet site advertising "Preteen Nude Sex Pics" and _ started 
corresponding with an undercover law-enforcement agent, in respect of whom the accused was 


108 


information systems, determining users’ identity proves difficult, but not impossible.™ 


3.2.8 The abuse of services 


The powerfulness of the Internet facilitates instant communication and timely 
information exchange, covering an unlimited range of messages and information, desirable or 
undesirable, legal or illegal, beneficial or anti-social. The convenience of e-mail for 
communications is frequently exploited as the fastest and easiest ways of spreading computer 
viruses, spam,” and frauds over the Internet. 

The e-mail is the primary means for spreading malicious programmes. For example, the 
Love Bug virus reached millions of computers within 36 hours of its release from the 
Philippines thanks to e-mail. *° Subsequently, these malicious programmes can send 
messages, collect information, delete data, spread a Trojan horse, or plan future accidents 
(Sadowsky and co-workers 2003, p. 48). At the same time, e-mail bombing, that is, sending a 
large amount of e-mails to the victim, can crash the victim’s e-mail account or servers 
(Syngress 2002, p. 325). Therefore, a security concern is closely related to e-mails. 

The e-mail is both the means and the target of spam, utilized primarily for commercial, 
political, malicious, or illegal schemes. As a marketing and communications means, e-mail 
has been gradually abused. Recipients of unsolicited e-mails have to spend much time to deal 
with messages, wasting human resources and baffling the receiving of useful messages. The 
sending of bulk mails also consumes network bandwidth and interferes with the ordinary 


communications service. In addition, unsolicited commercial mails are usually sent 





entrapped when he ordered a child pornography video over the Internet; in United States v. McGraw 
(Tenth Circuit No. 02-1407, D. C. No. 01-CR-426-B, 2 December 2003), the accused was also caught 
by an undercover agent, with whom he expressed his interests in “having sexual contact with ‘white 
males between the ages of 12 and 15’,” and arranged a encounter. See also R. v. Randall (Provincial 
Court of Nova Scotia 2006 NSPC 19, No. 1538177, 28 April 2006). 

** As Peter Steiner’s cartoon saying that “On the Internet, Nobody knows you’re a dog.” Originally 
appeared in The New Yorker, volume LXIX, number 20, 5 July 1993, p. 61. Retrieved 15 March 2007, 
from http://www.unc.edu/depts/jomc/academics/dri/idog.html 

*° Spam indicates e-mail messages that a computer user has not asked for and does not want to read. 
Summers (2003), p. 1585. 

*© The Love Bug was a famous virus disseminated through attachment to e-mails. 
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anonymously or with a fabricated identity, and the recipients cannot stop subsequent 
messages. Messages of this kind also include false or misleading headers, deceiving 
recipients to retrieve messages that they do not want. Moreover, the recipients have no way 
of expressing their wish not to receive such messages, and have no way of requesting 
compensation even if they suffer loss. The abuse of e-mail has become a public nuisance in 
the online environment. Although the use of anti-spam services and technologies is 
increasing, the scale of spam is continuing to increase as fast (OECD 2004, pp. 2-3; OECD 
2005, p. 6), becoming a problem not only for personal e-mail accounts, but also for corporate 
accounts. In regulating the legal problems which the e-mail brings, traditional criminal law 
has insufficient coverage. 

Cyberstalkers *’ also abuse the e-mail service by sending text-, graphic-, and 
audio-based messages of a threatening, alarming, or harassing kind to the e-mail account of 
the intended victim (D’Ovidio and Doyle 2003, pp. 10-17). At present, it is also possible for a 
video-based message to accomplish the equivalent effect. Other Internet services can also be 
exploited by cyberstalkers to harass other users, either directly or indirectly. An example of 
direct harassment can be found when stalker sends harassing messages to a targeted victim. 
An example of indirect harassment can be found when a stalker uses the Internet 
communications to obtain a potential victim’s personal information, such as a home address 
etc., and then uses the information to contact by other means. In these cases, children are 
frequent victims (Internet Crime Forum IRC subgroup 2001, p. 11). 

In many incidents, what has been revealed is “the all too common failure of both public 
and private sector organizations to ensure that safeguards are identified and diligently 
implemented throughout organizations.”** Due to the abuse of online services, it can be said 
that, on the Internet, the use and abuse of the services grow hand-in-hand; and chances and 


challenges exist simultaneously. 





8” Cyberstalking means the illegal use of the Internet, e-mail, or other electronic communications 
systems to follow someone or threaten him or her. Summers (2003), p. 390. A cyberstalker is one who 
perpetrates cyberstalking. 

“8 Sale of Provincial Government Computer Tapes Containing Personal Information, Re, 2006 CanLII 
13536 (BC LP.C.). 
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3.2.9 From information society to mobile society:® the uncertainty of the future 


In the technological field, what is certain is the tendency of ceaseless advancement, but 
what is uncertain is the outcome of this ceaseless advancement. ICT is the most dynamic 
field in the present world. Network technology is one of its relevant aspects. In addition to 
the traditional networks, mobile and wireless networks have been developing rapidly in 
recent years. The goal of the new network technology is to integrate the known advantages of 
the previous network, avoiding the known disadvantages, while creating the unknown 
advantages. The most advantageous characteristic of all the networks is the decentralized 
structure, without central control. The unique advantage of mobile phone and wireless 
networks is the possibility of wider spatial separation between terminals and network devices. 
Controllability of such networks is being transformed into new forms. At the same time, the 
existing security concern has also been transplanted into the new media (Karygiannis and 
Owens 2002, pp. 21-22). The future of technology and security are unforeseeable. 

Computer networks form an uncertain phenomenon with which the legal system should 
keep pace. In the last few years, people in the U. K. were fond of quoting an estimate 
according to which the U. K.’s currency reserves can be transferred outside the country in 
fifteen minutes.”’ Both the convenience and dangerous nature of information systems are 
imaginable. With the traditional network, the online threats emerged about when the wire, 
fibre and cable of the network were to be linked. At the moment, with wireless and mobile 
networks, the invisible threats are emerging in space where the electromagnetic wave of the 
network covers. Although the new technological outcomes are always accompanied by 
corresponding safeguards, historical instances have proved that the initial measures have 
usually been less effective. In addition, the legal framework is less ready and less prompt in 


reaction to the new phenomenon. As Clarke claimed that, with cybercrime (computer viruses), 





*° Here we use the term “mobile society” in terms of a society with increasing population are 
connected with mobile telecommunications networks, similar to the term “mobile information society” 
that the International Telecommunications Union used at http://www.itu.int/osg/spu/ni/futuremobile/ 
(Retrieved 15 March 2007). The term also has other meanings that are irrelevant here. 

°° ‘See Kelly (2002). 
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the collapse of banks, the launching of nuclear missiles, the shutdown of air traffic control, 
and the paralysis of the telephone network are all possible in the future (Clarke 1997, p. 227). 
I will further point out in Chapter 9 that the legal reflections and reactions to the 


criminal reality are usually too sluggish and are not uniform between the different countries. 


3.3 Conclusion 


The Internet creates a space without a spatial or temporal boundary. Anyone with 
Internet access is connected to everyone else with Internet access in the world and is likely to 
be affected by the information that is published and the activities that are facilitated. All that 
not only provides chances for a social life, but also poses challenges to the social order. As a 
result, Gates (1995) stated that a significant aspect of the Internet is to get rid of remoteness, 
making it no difference between contacting a person in the next room and contacting another 
on another continent. 

On the other hand, security and trust become essential to this new environment, which is 
constructed on systems vulnerable to attacks or abuse. Computers play different roles, such as 
means, media, target, tool, place, route in offences, and can be used in varied ways to prepare 
for other offences. People have already recognized that the unique character and the great 
value of the Internet for the user community is its decentralized structure (Rotenberg 1990, p. 
16). What is tricky is that the maintenance of cyberspace order proves a challenge to the legal 
system. Many people are aware of the risks that people take when they go online. 
Quirchmayr (1997) pessimistically declared that the Internet became a paradise for all sorts 
of criminals (cited in Siponen 2001, p. 24). Interpol (2003) summarized the major threats as 
unauthorized access to and destruction of information in the processing, transporting, and 
storing stages. Information and communications technology poses enormous challenges to 
society, and clearly requires criminal-law reform. 

Firstly, the objects requiring the protection of the criminal law have been expanded in 
the information age. The basic logic behind this is that, person, property and information are 
the three kinds of objects to be protected by criminal law, and that while both infringements 
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of person and property are punishable offences, so should the abuse of information systems 
punishable, too. Although criminal law has protected copyright, patent, trademark, and trade 
secret, the explicit literal provision for protecting “information” in criminal law is a 
development of the three recent decades. However, the provisions of different countries are 
not uniform. Disputes over changing the traditional criminal law are still taking place in some 
countries, and show the persistent resistance of the conventional notion. All these factors 
render the renovation of legislation an inefficient process. In order for criminal law to have 
actual effect, the sooner the renovation of the general theory and general part of criminal law 
are carried out, the better the criminal law can serve the information society. 

Secondly, because of the expansion of the objects to be protected in the criminal law, it 
is very important to provide definition of new types of crimes, and to revise constituent 
elements of old crimes, in which information systems become a new tool, object, place, 
medium, route, and means of traditional offences. This situation calls for the change of the 
special part of criminal law. If we say that the lag in the general theory of criminal law wastes 
resources in the legislation, the failure of the special part of the criminal law waste the 
resources in criminal justice, leaving a blank in deterrence as far as new types of crimes and 
new forms of old crimes are concerned. The effective implementation of domestic criminal 
laws increasingly depends on international coordination and cooperation, requiring 
realization to a far greater degree of the international consensus of substantial and procedural 
law. 

Thirdly, the space of criminal justice is expanding beyond traditional society. The 
traditional crimes are fundamentally intra-national, trans-national, or at most international, 
while the new-fashioned cybercrimes are easily super-national and even virtual. That is to say, 
the crimes surpass the national power, while the super-national power in criminal justice has 
yet to be formed, being , restricted by the traditional principles of jurisdiction. In order to fill 
up the gap between the crimes and the power of criminal justice, international criminal law 
has formulated some new rules, though they are not widely accepted. A wider range of 
international action should be adopted in order to reduce the large expenses of time, money 
and human resources, and to decrease the further losses caused by crimes that are left 
unpunished in the process when there is this gap in criminal justice. 
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Fourthly, balance has not been reached between the influence of technology on criminal 
justice and on criminal phenomena, both of which are complex and involve positive and 
negative forces. The negative effect of technology on criminal justice and the positive effect 
on criminal phenomena point to a further failure of traditional criminal law: the inability of 
criminal justice and the inefficient deterrence against cybercrime increase the expected 
criminal benefits and lower the expected punishment. As a result, the increase of cybercrimes 
is inevitable. To resolve this problem, prompt enactment of domestic legislation worldwide 
and negotiation for international cooperation are required. 

Fifthly, the dependence of criminal law on technology, and the interaction and mutual 
support between criminal law and technology should reach an unprecedented extent. Without 
the interaction of technology, criminal law could not obtain so great a deterrent effect. 
Similarly, without criminal law, technology could hardly function solely in crime prevention. 
Both of them are necessary, but not sufficient. Although adding them up is not sufficient 
either, integrated countermeasures are of the utmost importance in cybercrime prevention. 

In sum, the weak controllability of the Internet poses serious problems that fall into the 
domain of criminal law. There is a necessity for translating traditional law to cyberspace, 
translating domestic law in the international forum, and translating diversified provisions into 
a unified standard. Criminal-law reform is to put an end to the disorder of cyberspace where 
obligations and liabilities have not been sufficiently established and perpetrators of offences 
often run large. 

However, we should also notice that the information society is not a new society but a 
new stage of the existing society, a social reality that is being re-expressed in the form of a 
re-encoding with a new coding system, as well as a new social order that is re-coping with 
the developmental tendency of society that has emerged in this new form. In the re-encoding 
process, the old codes remain or disappear, while the new codes emerge and grow. 


Cybercrime is one code in the re-encoding process of the information society. 
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CHAPTER 4. DEFINITION AND CLASSIFICATION OF CYBERCRIME 


4.1 Introduction 


Chapter 3 gives a detailed description of the vulnerabilities of information systems to 
potential cybercriminals. Although the pervasive use of information systems is accompanied 
by a wide range of social problems, and the countermeasures necessitate mobilizing a broad 
variety of legal remedies, the current dissertation will primarily be concentrating on the 
criminal phenomenon accompanying information systems and on the deterrence framework 
revolving around but not limited to criminal law. Therefore, the main task facing us is to 
determine the scope of the topic, through defining the subject-matter “cybercrime”. 

Alternative definitions of cybercrime have emerged over the years as the users and 
abusers of computers expand into new areas. There is neither a unified definition, nor a 
commonly accepted method of classification. The definition and classification methods are so 
diversified that it is impossible to sketch the scenario of cybercrime by using a single standard 
(Wasik 1991, p. 1). The present rampancy of cybercrime can in part be understood as the 
product of weak legal deterrence. This chapter advocates the use of a unified broad definition 
of cybercrime, in order to reach a consensus as great as possible, reform both substantive and 
procedural criminal law and provide effective protection for the information society. The 
chapter also proposes to classify cybercrime according to the roles of information systems 
into seven categories, information systems as target, tool, media, route, place, means of crime, 


and used in preparation for further offences. 


4.2 Earlier notions of computer crime 


Before the 1990s, computer crimes were generally understood as offences relating to 
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computers, but there was less connection with networks, even though the perpetrators of 
earlier computer crimes also exploited the networks. Among scholars, the disputes 
concerning the relationship between computer and crime were diverse. Even today, there is 
no apparent distinction between a computer crime and a traditional crime that has some 
factors relating to the computer or the Internet. The situation in the pre-Internet age should 
easily be realized from the present viewpoint. However, the most noteworthy dispute then 
resolved around whether there was a distinct criminal phenomenon of computer crime. 
Roughly, three different standpoints existed. 

From the first standpoint, there was no such thing as computer crime. For example, 
Johnson (1985) insisted that there was no distinction between an offence involving a 
computer and an offence involving no computer. Gotternbarn (1990, pp. 18-24) also claimed 
that a particular category of computer crime was unnecessary. The negativists regarded 
computer crimes as offences belonging to traditional categories. Because murder with a 
wooden stick, a block of stone, a knife, a gun, or a bomb, was only a murder, naturally theft 
by with a bag, a car, or a computer remained just a theft. The “new” types of crimes or new 
forms of existing crimes could, from this standpoint, be covered by traditional criminal law. 
There was, therefore, no need to add new articles to existing law. The only task was to punish 
these crimes according to the old law. 

The second standpoint claimed that the computer could be used to perpetrate every kind 
of crime. It could be considered pan-computer crime view (Nycum 1983, pp. 2-4). According 
to Sterling (1994), Donn B. Parker claimed that “‘...all business crime will be computer crime, 
because businesses will do everything through computers. ‘Computer crime’ as a category 
will vanish.” Li (1993) proposed that computer crime was neither a single offence, nor a 
category of offences; only because the offences more or less related to computer systems, 
they were called computer crimes. In fact, this term refers to one kind of computer crime in 
one situation, and referred to one category in other situations (Li 1993). The computer crime 
thus covered a very broad range of offences. 

Li (1992) also attempted to apply traditional penal law provisions to various possible 
kinds of computer crimes, in examining the possibility of using the 1979 Penal Law of China 
to impose a penalty on all offences involving computers against state security, person, 
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property, and the social order. This kind of proposal was also a universally accepted idea 
about dealing with computer crime in many countries at that time. The evidence was that 
many countries punished the first computer crimes before they implemented their first 
computer crime laws. At least in countries where a broad legal interpretation and judicial 
legislation were practised, unpunished computer crime cases due to lack of applicable law 
were rare. But the analogous application of law by extending the scope of existing law to 
impose punishment on activities that were not prescribed by law when they were committed 
is prohibited by the principle of legality. The broad interpretation of law did not necessarily, 
however, violate the principle of legality, even if the interpretation incorporated new terms 
such as the computer, the Internet, and information systems into law where these terms were 
once absent. The value of this standpoint was to make the potential of traditional criminal law 
as great as possible. Where there is no law ready to combat computer crime, this standpoint 
provides a theoretical basis for the application of existing laws to both protecting society and 
maintaining legality. 

In practice, as Bequai (1978) wrote that, “the majority of our local jurisdictions rely on 
traditional concepts to deal with this new and growing area of crime” (p. 25), including laws 
dealing with crimes involving habitation and occupation, covering arson and burglary; and 
laws dealing with offences involving property, covering larceny, embezzlement, extortion, 
malicious mischief and forgery (pp. 25-36). Recent efforts for utilizing the functions of 
existing criminal law have also been made in Brenner (2001). 

The third standpoint was held by middle-of-the-roaders, who admitted the existence of 
computer crime on the one hand, but limited the range of offences on the other. Undeniably, 
this has been the most broadly accepted theory. According to this theory, different technical 
terms have been used to denote the phenomenon, different definitions have been given to 
describe the issue, and different theoretical achievements have been acquired to address the 
legal framework. However, it must clearly be recognized that there has never been a unified 
technical term, a unified definition (UNCJIN 1999, Paragraph 21), or a unified theoretical 


structure of a globally accepted kind. Many technical terms have been used 
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interchangeably.” Different countries and individuals have referred to many definitions. In 
addition, people from different disciplines have also developed many theoretical frameworks 
over the years. At present, when we talk about computer crime, or cybercrime, a direct 
reflection of this is the assumption that computers or networks are involved in this crime. 

Computer crime has been defined in a diverse spectrum of senses, from extremely 
narrow ones to extremely broad ones. The definition in the narrowest sense limits computer 
crime to “one that can be carried out only through the use of computer technology” (Tavani 
2000, pp. 6-7). This definition excludes crimes that can be committed only through other 
means than computer technology and that can be committed in both ways. A broader 
approach defines computer crime as crime by computer. This definition excludes crimes 
targeting a computer. 

A yet broader definition includes both crimes by computer and against the computer.” 
The current view about offences against computers is likely to relate the physical forms of 
computers or computer technology to the function of computers. There were numerous cases 
in which computers were damaged not by today’s technological methods, such as viruses, 
hacking etc., but were committed by traditional measures, including arson, bombing, and 
shooting. The development of cybercriminal phenomena proves that there is a vague limit 
between offences by computer and offences against the computer. 

The broadest definition was proposed by Parker (1980, cited in Solarz 1981, pp. 25-26), 
who divided computer crimes into computer abuse, computer crime and computer-related 
crime. Obviously, the computer crime conception at the second level was included in the first 
level. The computer crime conception at the first level was extremely broad. In fact, Parker 
and Nycum (1984, p. 313) defined computer crime “as any illegal act where a specific 
knowledge of computer technology is essential for its perpetration, investigation, or 
prosecution,” saying subsequently that computer crime was not regarded as a distinct type of 


crime different from other crimes, and that almost every sort of crime could be committed 





*! See COM (2000) 890 final, 12. Even the UN uses the terms computer crime and computer-related 
crime interchangeably. See also United Nations Crime and Justice Information Network (1999), 
Paragraph 21. 

” See, for example, McConnell International (2000); Reece (2000). See also Berg (2000); Goodman 
(1997), pp. 465, 468-469. 
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through the exploitation or intervention of computers (ibid). Such kind of a definition has 
accepted and developed by many subsequent studies, for example, Pihlajamaki (2004) 
defined cybercrime (“information technology crime” in his original term) as a crime in which 
the data processing system is the target or tool, while special knowledge of information 
technology is a necessary factor in the process of commission and prosecution (p. 286). 

In the network environment, the model of a computer crime becomes more relevant with 
the emergence of the Internet. Cybercrime is loosely defined as a crime committed by means 
of the computer or the Internet (Levinson 2002, p. 455). The Council of Europe Convention 
on Cybercrime 2001 made the term “cybercrime” prevalent. Articles 2-10 of the Convention 
on Cybercrime also adopted a broad conception in criminalizing cybercrime, providing for 
the offences against security, computer-related offences, and content-related offences. 
Although the Convention adopted a broad conception, the detailed offences under the titles 
were limited. The high level of consensus concerning conception, and the low level of 
consensus concerning the categories is a factor that makes it reluctant for more countries to 


consider access to the treaty. 


4.3 The previous deficiencies in understanding cybercrime 


Some of the previous understanding about cybercrime has been misleading and 
confusing in providing inexact information. The following deficiencies have been very 
frequent in both academic writings and non-academic writings. 

The first misunderstanding happened against a historical background. While people have 
regarded the predecessors of cybercriminals as the hackers of three or four decades ago, a 
general view has been to make the term “hacking” bear the meanings of today’s “cybercrime”. 
This misunderstanding buried the computer explorers collectively under the shell of deviance. 

The increasing cyber perpetration at the end of the twentieth century and the beginning 
of the twenty-first century witnessed a second misunderstanding of the conception. The 
illusion that information systems were a critical infrastructure that was easily prone to abuse 


and in effect caused massive deaths, injuries, and economic disasters led to an extreme notion 
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that viewed all cybercrimes as terrorist attacks. The equation “cybercrime = cyber terrorism” 
has already been broadly accepted by many scholars with the help of a non-expertise 
dominated mass media, which survive competition by spreading both truth and speciousness. 
As yet, although there have been many concerns about the use of information systems in the 
preparation of real terrorist attacks, and the situation may be growing worse,” cyber 
terrorism is only a political possibility. The crime is the premise of punishment that assumes a 
legal order, but the terrorism is a reason for war that destroys the legal order. By exaggerating 
many traditional crimes as terrorism, the powers can launch continues wars against the 
weaker states, or threaten to do so as politics. By claiming all cybercrime as cyber terrorism, 
the future of the communities in the information society is obscure. We doubt whether 
hackers deserve punishment by war. The character of such a war would not be its punitive 
nature, but a social collapse. 

The third misunderstanding is politicization of the conception in a broader sense. To 
view cybercrime as cyber terrorism is one part of the picture. This broad misunderstanding 
was created by the acclamation of information systems as a national critical infrastructure, to 
maintain and protect which the state intervention or political intervention is considered 
necessary. The politicization of information systems results in the politicization of activities 
against this system, the cybercrime. 

The fourth misleading understanding is, strangely, to moralize the cybercrime by 
exploiting the term “hacking”. The moralization has two respects: one regards cybercrime as 
being moral, not immoral and thus not illegal; the other regards cybercrime as a moral issue, 
not a legal issue, and thus law has no business here. The natural effect is that cybercrime 
should not be regulated by law. 

The last category of misleading definitions has the tendency of mystification. The 
representative notion is that cybercrime is high-tech crime and does not seem to be 


committable by common users in daily life. Actually, when technology is used in routine life, 





°? Many prosecuted cases involved features that were possibly to be used in terrorist attacks deposited 
in information systems, for example, R. v. Boutrab ({2005] NICC 36 (24 November 2005)), in which 
the accused downloaded from a library computer and deposited in floppy discs the files, the contents 
of which contained information about the making and use of explosives for attacks on aircraft and the 
manufacture of silencers for firearms. 
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high technology gradually becomes low technology. When high tech crime exists in daily life, 


it becomes low-tech crime. 


4.4 What exactly is cybercrime? 


No unified term for cybercriminal phenomena has been universally accepted, even 
though some terms including “computer crime” and “cybercrime” are relatively popular. 
Roughly, seven groups of terms have been in use. Among these groups, many different words 
and phrases have been adopted or created. Because of the changing ways in which the 
cybercriminals commit crimes, the ways in which people name these crimes are changing as 
well. In order to clarify how people view cybercrime from different standpoints, this section 
examines some groups of synonymous terminologies of “cybercrime”. 

The first group of terms emphasizes the view that regards the computer as a unique target 
or tool of crime. The term “computer crime” has been broadly used in academic writings as 
well as in laws and regulations particularly before the Internet was opened to commercial use 
in the 1990s. This term represents a group of similar terms, including computer crime,” 
crime by computer (Parker 1976), computer-related crime (Sieber 1998; Stephenson 2000), 
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computer-facilitated crime, computer misuse,”” computer abuse,” computer mischief, 





** Computer crime is the most frequently used term in denoting the phenomenon. For example, there 
is an institution named the “Computer Crime Research Centre”. See the institution’s Web site, at 
http://www.crime-research.org/. 

°° See Computer Crime and Intellectual Property Section (CCIPS), Prosecuting Crimes Facilitated by 
Computers and by the Internet, last modified 15 March 2007. Retrieved 15 March 2007, from 
http://www.usdoj.gov/criminal/cybercrime/crimes.html. 

°° For example, the usage of this term in “The U. K. Computer Misuse Act 1990 (c. 18).” 

*7 For example, the usage of this term in “The US Computer Fraud and Abuse Act (18 USC 1030).” 

*8 See, for example, Woodward, C. Washington Quarter Voting Hijacked by Computer Mischief, 
Associate Press, 10 April 2006. Retrieved 15 March 2007, from 
http://seattlepi.nwsource.com/local/6420AP_WA_State_Quarter.html. In unofficial English translation 
(by the Finnish Ministry of Justice) of the Penal Code of Finland, Chapter 34, Section 9a (578/1995) 
defines criminal computer mischief, stating that “A person who, in order to cause harm to automatic 
data processing or the functioning of a data system or telecommunications system, (1) produces or 
makes available a computer program or set of programming instructions designed to cause harm to 
automatic data processing or the functioning of a data system or telecommunications system or to 
damage the data or software contained in such a system, or distributes such a program or set of 
instructions, or (2) makes available guidelines for the production of a computer program or set of 
programming instructions or distributes such guidelines, shall be sentenced, unless an equally severe 
or more severe penalty for the act is provided elsewhere in the law, for criminal computer mischief to a 
fine or to imprisonment for at most two years.” 
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computer break-in,” computer sabotage (Sieber 1996), computer espionage, ”” computer 
manipulation (Sieber 1996), etc. “Comcrime” was used in the title of Sieber (1998), though 
the term was not used in the main body of the text. 

The second group of terms are accompanied with a crime particularly facilitated by 
computer networks. The origin of the term “cybercrime” cannot be identified, but there is no 
doubt that it became prevalent with the legislating process of the European Convention on 
Cybercrime. The prefix “cyber” simply means computer, but people tend to use it in terms of 
networked computers. Generally, people wish to distinguish the criminal phenomena in the 
network age from that before the 1990s. Smith, Grabosky and Urbas (2004, pp. 5-6) have 
argued that "cyber" used as an adjective does not equal to "cyber-" used as a prefix. That is to 


mow 


say, "cyber crime" is not "cybercrime". They have used the term "cyber crime" "to describe a 


range of criminal offences, only some of which specifically relate to computers and the 
telecommunications infrastructure that supports their use." (p. 5) They have viewed 
"cybercrime" as "a singular concept of crime that can encompass new criminal offences 
perpetrated in new ways" and "cyber crime" as "a descriptive term for a type of crime 
involving conventional crimes perpetrated using new technologies." (p. 6) Most authors are 
using these two terms interchangeably. Besides terms cybercrime, or cyber crime, people also 


1 


use net crime,” the Internet crime (Taylor and Quayle 2003), crime on the Internet,” 


4 


Internet-related crime, 103 network crime, 104 etc. In Finland, cybercrime is sometimes 





*” Tn unofficial English translation (by the Finnish Ministry of Justice) of the Penal Code of Finland, 
Chapter 34, Section 8 (578/1995) defines criminal computer mischief, stating that “(1) A person who 
by using an unauthorized access code or by otherwise breaking a protection unlawfully hacks into a 
computer system where data is processed, stored or transmitted electronically or in a corresponding 
technical manner, or into a separately protected part of such a system, shall be sentenced for a 
computer break-in to a fine or to imprisonment for at most one year. (2) A person shall also be 
sentenced for a computer break-in if he, without hacking into the computer system or a part thereof, by 
using a special technical device unlawfully obtains information contained in a computer system 
referred to in (1). (3) An attempt is punishable.” 

(4) This section applies only to acts that are not subject to an equally severe or more severe penalty 
provided elsewhere in the law. 

°° Defence Investigation Service, Computer Espionage, The American Report, number 288, 5 May 
1996. Retrieved 15 March 2007, from http://www.kimsoft.com/korea/edispy.htm; McNamara (2003). 
°! For example, the term net crime was used in news report, Luening, E. European Council Moves 
Net Crime Treaty Forward, CNET News, 20 November 2000. Retrieved 15 March 2007, from 
http://news.com.com/2 100-1017-248874.html 

For example, Darlington, R. Crime on the Internet. Retrieved 15 March 2007, from 
http://www.rogerdarlington.co.uk/crimeonthenet.html 

°° For example, Computer Crime and Intellectual Property Section (CCIPS), How to Report 
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translated as “tietoverkkorikos” (information network crime), with the same meaning as 
“tietotekniikkarikos” (information technique crime), referring to both offences targeting 
information processing systems and offences committed with the assistance of information 


; 105 
processing systems. 


According to Darlington (n.d.), crimes on the Internet include 
“hacking, viruses, pirating, illegal trading, fraud, scams, money laundering, prescription drugs, 
defamatory libel, cyber stalking, cyber terrorism.” According to CCIPS (2006), 
Internet-related crimes include “computer intrusion, password trafficking, copyright piracy, 
theft of trade secrets, trademark counterfeiting, counterfeiting of currency, child pornography 
or exploitation, child exploitation and Internet fraud matters that have a mail nexus, Internet 
fraud and spam, Internet harassment, Internet bomb threats, trafficking in explosive or 
incendiary devices or firearms over the Internet.” 

The third group of terms regard the Internet as only a part of the whole 


re 106 
telecommunications systems. r 


Electronic crime (e-crime) emphasizes the characteristic of 
the criminal phenomena relating to (micro) electronics rather than to computer or computer 
networks. “The term ‘e-crime’ arose in the tradition of terms such as e-mail, e-commerce, 
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e-zines, e-tailer and e-government.” 


With this term, people usually indicate the same 
phenomenon as cybercrime, but others also extend it to cover crimes relating to the 
telecommunications systems, in which the Internet is only a part of the whole systems. 

The fourth group of terms regard the space, the community, or the environment created 
by the Internet as the place where a crime is committed. The word “virtual” has a deep and 


different meaning in the term “virtual reality”,'°° but “virtual crime” is in fact the substitute 


of cybercrime in the sense that the crime is committed in the network environment. A purely 





Internet-Related Crime, Last modified 15 March 2007. Retrieved 15 March 2007, from 
http://www.usdoj.gov/criminal/cybercrime/reporting.htm 

* In Chinese, the counterpart of the term cybercrime is simply “wangluo fanzui” (network crime). 

°° Governmental Proposal HE 153/2006 of Finland concerning Approval of Council of Europe 
Convention on Cybercrime (here after HE 153/2006), General Justifications, 1. Introduction. 

°° For example Tennyenhuis and Jamieson (2003), pp. 187-206; Australian Police Commissioners’ 
Conference Electronic Crime Working Party of Australasian Centre for Policing Research (2000), The 
U. S. Technical Working Group for Electronic Crime Scene Investigation (2001), etc. 

°” See McKenizie, S. What are Electronic Crimes? 2 July 2004. Retrieved 15 March 2007, from 
http://www.criminology.unimelb.edu.au/research/ecrime/ecrimedefn.html 

°8 Virtual reality indicates an environment produced by a computer that looks and seems real to the 
person experiencing it. See Summers (2003), p. 1841. 
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virtual crime has not been criminalized.'” When used as synonym for cybercrime, the focus 
of the term “virtual crime” is put into the specific spatiotemporal context created by the 
Internet and interpersonal communication via the Internet. 

The fifth group of terms regard the data, information or privacy as the primary factor in a 
crime. In fact, cybercrime is crime related to information or information systems (not limited 
to computer and computer networks). Future terminology should therefore incorporate 
information or information systems into the name of such a crime. 

The sixth group of terms regard the processing of “digital” information as the unique 


“ 


characteristic of cybercrime (Lilley 2002). “Digital” means “using a system in which 


information is recorded or sent out electronically in the form of numbers, usually ones and 


zeros.”"'° Digits are neither the system through which the crime is committed, nor the 


technology by which the crime is committed. Rather, they are the form in which information 
is processed through the system. A crime can hardly be “digital” because the committing 
process of a crime differs from the processing form of information. 


The seventh group of the terms regard ICT as high technology. A crime involving ICT is 


3 


named high technology crime,''! high-tech crime, '!? hi-tech crime,''? or information 
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technique crime.“ In fact, the term “high technology” is only used to indicate modern high 


technology, excluding the ancient ones. In the viewpoint of the tenth century, papermaking 





'© Such as the case of “a rape in cyberspace” described in Dibbell (1993). The article described a 
“cyberrape” performed by a Mr. Bungle in a multi-user dungeon (MUD), called LambdaMoo, and the 
repercussions of his act. See Wikipedia, A Rape in Cyberspace, 17 April 2006. Retrieved 15 March 
2007, from http://en.wikipedia.org/wiki/A_Rape_in_Cyberspace. 

'!° See Summers (2003), p. 436. 

"Kovacich and Boni (1999); the International High Technology Crime Investigation Association. 
“(HTCIA) is designed to encourage, promote, aid and effect the voluntary interchange of data, 
information, experience, ideas and knowledge about methods, processes, and techniques relating to 
investigations and security in advanced technologies among its membership.” Retrieved 15 March 
2007, from http://www.htcia.org/aboutus.shtml 

' For example, an institution named “Australian High Tech Crime Centre”, which “employs 
representatives from all Australian State and Territory police forces in both its staff and its Board of 
Management. This creates an environment of cooperation and national consistency to referrals, 
training, education, intelligence, policy and investigations.” See web site, at http://www.ahtcc.gov.au/. 
'S For example, an institution named “The National Hi Tech Crime Unit”, which is part of the Serious 
Organised Crime Agency, see web site, at http://www.nhtcu.org/ 

'* For example, in Finnish, the literal meaning of the term “tietotekniikkarikos” is information 
technique crime. The term is used interchangeably with “tietoverkkorikos” (information network 
crime) (HE 153/2006, General Justifications, 1. Introduction). The general understanding of 
cybercrime is that it happens in the environment of information processing systems and with an 
expertise on the operation of such systems (Ibid). 
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may be a high technology. In the viewpoint of fourteenth century, movable type printing 
technique may be another high technology. They can both be regarded as technology relating 
to information processing. This indicates that the term high technology is unsuitable for 
naming a crime. On the other hand, most computer-related crimes have in fact only used “low 
tech” as Molnar (1987, p. 714) found in his study. Therefore, there has been a 
misunderstanding in giving the general public the impression that each and every kind of 


computer crime is sophisticated and not committed by ordinary person (ibid). 


4.5 “Cyber” as a label of crime 


As noted, the prevalence of the prefix “cyber” readily becomes a substitute for the terms 
computer and computer network. Anything can be “cyber” if it is related to the computer and 
the computer network. Cybercrime is not always a crime that did not exist in the pre-computer 
era, just as we cannot deny the existence of “ancient” white-collar crime before Sutherland 
coined the term. The twentieth century was the time when people tended to label old or new 
things with new inventions. The most apparent example is the use of the word “modern.” Due 
to the overuse of the word, people today cannot use the word modern any more. Criminal law 
and criminology are also full of labels of this kind. 

One of crime’s labels currently in use is “cyber.” To label a crime “cyber” has a similar 
meaning to labelling the present historical period as an information age. In addition, it has a 
further significance in criminology. The following analysis is only an effort to explore the 
subtext to which the prefix “cyber” can refer. 

(1) The label contains the implicit meaning of deviant behaviours dependent on 
information systems. Violent crime is a label for deviant behaviours involving the use of 
human force. Intelligent crime is a label for deviant behaviours involving the use of wisdom. 
White-collar crime is a label for deviant behaviours by the perpetrator’s occupation. Similarly, 
cybercrime labels deviant behaviours that depend on information systems, without which the 


offences are impossible to commit, or by which the offences may be committed more 
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efficiently.'' 


The more the people are heavily dependent on information systems, the more 
the offences that cannot be committed without such systems are committed; the more the 
offences with such a system can be committed more efficiently the more frequently they 
occur. The prefix “cyber” is meant to characterize the dependence of new types or new 
categories of offences on information systems which label this society. 

(2) The label sketches the semi-virtual and semi-real crime scene. Many people are 
talking about a different space as virtual. In fact, due to technological limits, perfect virtual 
space has not been realized. The current cyberspace is a semi-virtual and semi-real space. 
Thus, pure virtual interaction is neither possible nor has its meaning. The information age is a 
term merely symbolizing a developing stage of virtual space, a partly virtual and partly real 
environment. Naturally, cybercrime only involves a semi-virtual and semi-real crime scene. It 
is true that the supposed neural computer may construct a pure virtual atmosphere and 
facilitate a pure virtual crime. However, the virtual crime scene cannot appear before a robot 
driven by a neural computer is created. 

(3) The label gives us an impression of human-machine criminal interactions. 
Human-machine interaction represents only a piece of social interactions. The results of 
human-machine interaction can be human-machine-human or human-machine-machine 
interactions. The process can be unlimitedly expanded. Furthermore, the participants in the 
interaction can be multiple humans and multiple machines, that is, in networked systems. This 
shows the complicacy of online activities including cybercrime. The expansive forms of 


human (H)-machine (M) interaction can be illustrated as: 





"'S There is no a lack of viewpoints that regard computer crime as a kind of white-collar crime. For 
example, Bequai (1978, p. 1) stated: “Computer crime is part of a larger form of criminal activity 
—white-collar crime.” Considering that the concept of white-collar crime is becoming vague in the 
information age, this study generally does not classify cybercrime into the bigger category of 
white-collar crime. 
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Figure 4 Human-Machine Interaction 


In fact, the human-machine interaction has a deep impact on the criminalization of 
deviant behaviours relating to information systems. For example, in the Governmental 
Proposal HE 153/2006 (Finland), the spreading of computer virus has been noted as likely to 
be realized through delivering it to other persons, or to be through spreading it in the 
machines.''° 

(4) The label demonstrates on extension of the criminal territory. The traditional crime 
happens in the visible sphere and is mostly territory-dependent. In the information age, the 
territorial extension of crime has dual meanings. On the one hand, the criminal phenomenon 
extends from the visible sphere to the invisible sphere. Cybercrime generally crosses both 
visible and invisible spheres simultaneously. The process and results of cybercrime are both 
revealed only with difficulty. On the other hand, trans-territorial crime becomes easy with the 
help of information systems, as compared with the traditional communications system and 


transportation system. Information systems integrate the function of many traditional systems, 





"6 HE 153/2006, Detailed Justifications, 3. Reasons of Governmental Bills, 3.2 Penal Code, Chapter 
34 Endangerment. 
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enabling a remote operation of communications, transportation, authentication, banking, 
printing, and so forth. 

(5) The label causes multidisciplinary attention. In the past, scholars attempted to label all 
those disciplines relating to crime by the term “criminal” and formed many marginal 
disciplines, such as criminal psychology, criminal sociology, etc. The twentieth century 
development of criminal phenomena made it overcomplicated to create so many disciplines. 
Rather than labelling informatics, cybernetics, etc., “criminal”, scholars from different 
disciplines pursue research from their own standpoints. Works of many disciplines 
accommodate the contents of cyber ethics and cybercrime as inseparably constituent. Crime 
and its study are both more “cyber” than “criminal”. Many criminalists migrated from the 
criminal sciences to other disciplines before the information age. Today, more 
non-criminalists are migrating from their own disciplines to the criminal sciences. 

(6) The label holds the digital criminal power. While information systems utilize the 
power of the digital form, crime is also becoming digital. “Being digital”''’ means “being 
different” from the traditional social life. “Being digital” also means complexity and 
advancement of criminal circumstances. The power of information is expressed in digital 
form, both in social welfare and in social problems. It is natural for criminals to exploit the 
digital power of the scientific and technological advancement. In fact, the criminal 
phenomenon of the present day is modernized by the label of “being digital” in its 
spatiotemporal existence, with the emergence of new types of offences and new forms of old 
offences. 

(7) The label does not disrupt the vitality and continuity of the criminal tradition. 
Aggressive activities are universally acknowledged among animals. Crime is as old as human 
beings, finally imposed punishment by law. The corner-stones of criminal science are 
offences such as homicide, theft, robbery, arson, etc. The development of criminal 
phenomena demonstrates the continuity of tradition and the revision of minor details, 
including the tools used, the vehicle driven, the assets obtained or the premises destroyed. 


However, with interests and security as the basic goals, the foundation of criminal phenomena 





"7 “Being digital” comes from the name of a book by Nicholas Negroponte (1995), who put forward 


a future vision of digital technology. 
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has not changed. Labelling a crime “cyber” is merely adding new factors to the tradition, but 
not undermining the innate foundation. With this label, traditional criminal law just takes a 
new step forward. 

(8) The label confirms the transformation of criminal patterns. If we say that the 
traditional criminal phenomenon was symbolized by forces and violence, the characteristic of 
cybercrime is the involvement of intelligence and intrigue. The physical and psychological 
existence of past human beings was confronted by threats of starting a bloody scene. Even in 
the present day, terrorist attacks are far more often the primary headlines in the mass media 
and a theme of critical concern for governments. For example, approximately 11,111 terrorist 
attacks occurred in 2005 and resulted in over 14,602 killed, 24,705 injured, and 34,780 
kidnaps. Approximately 630 attacks accounted for over half of the total fatalities.''® The 
bloody scene remains a severe threat, but a silent transformation of this threat is happening 
with the continuing growth of information systems. Certainly, there is no sign demonstrating 
that the traditional fatal violence can be replaced by cybercrime or cyber terrorism. 
Cybercrime represents merely a tip of the iceberg of the entire crime scene. We still doubt 


whether the hacker will be the future captor or killer? 


4.6 Towards a broad definition of cybercrime 


Considering the previous experiences and lessons in legislation and law enforcement, I 
strongly advocate a broad definition of cybercrime, which would then have a number of 
advantages in criminal-law reform. 

First, a broad definition of cybercrime would help to achieve as great a consensus as 
possible in the context of criminal-law reform. International negotiation is a prolonged and 
expensive process, a consensus based on a narrow definition would not be as effective as one 
based on a broad definition. Criminal justice according to a less consentient mechanism will 
inevitably meet unsolvable difficulties that require a new round of international consultation. 


Considering that current international consensus is inadequate, supplementary agreement is 





"8 The U. S. Department of State, Country Reports on Terrorism, 2006, Statistical Annex, v and vi. 
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necessitated in the near future to acquire a broader coverage. An international treaty should 
be based on such a broad definition that member states would only exclude by way of 
reservations clauses unsuitable according to their own needs and traditions, but not exclude 
such contents from the treaty and hinder other state from accepting these clauses. 

Secondly, a broad definition would help to revise criminal law completely, thus 
avoiding merely adding simply a couple of isolated articles. The isolated articles leave the 
cybercrimes in the broad sense unpunishable according to laws. The broader the coverage of 
the definition is, the more possible it is for criminal laws to prescribe more activities as 
falling under the category. Many countries, including China and the U. S., initially passed 
laws with very limited coverage over activities or targets; however, they all subsequently 
made amendment so as to expand the scope of their legislation. Starting from a broad 
definition will avoid the waste of legislative resources. 

Thirdly, a broad definition would help to amend procedural criminal law based on 
substantive criminal law. Without a qualified procedural law, the amendment of substantive 
law is easily invalidated. In the common-law system, the division between procedural law 
and substantive law is not so clear. Nevertheless, in other legal systems, the coordination of 
these two branches of law has sometimes required a special legislative process. The prior 
enactment of substantive law is reasonable before procedural law. For both the substantive 
and procedural laws to be more effective and more consolidated, a broad definition of 
cybercrime would enable a better drafting of provisions in procedural law. 

Finally, a broad definition would also help to provide full protection for a critical 
information infrastructure. Legal science should always face the social changes that are 
seeking to influence legal notions and the legal framework. However, social changes have 
never happened so rapidly in the history they do as today. The development of cybercriminal 
phenomena is a particular example that must be considered from the global view. In less 
developed or less rapidly developing countries, their laws cannot wait for the occurrence of 
cybercrimes within their own boundaries. Every offence existing in other countries may cross 


the borderless networks without perception. 
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4.7 Proposed definition of cybercrime 


In this dissertation, cybercrime is defined as any type or any form of traditional or 
untraditional crime involving information systems in use as media, means, place, route, target, 
tool, or used in the preparation for other crimes. 

First, cybercrime covers any form of traditional or any type of untraditional crime that 
can involve information systems. With the universal use of information systems, many types 
of new crimes emerge, many old crimes occur in new forms, and many new and old crimes 
happen interlinked. If information systems are the key factors in the crime, the crime falls 
into cybercrime. If an offence cannot be committed through information systems, it is not a 
cybercrime. According to the relationship between the cybercrimes and traditional crimes, 
cybercrimes can be divided into cybercrimes as substitutes for traditional crimes and 
cybercrimes as the complements of traditional crimes. The occurrence and increase of 
substitutes depend on the costs compared with the traditional crimes. When the costs of 
cybercrimes are lower than traditional crimes, cybercrimes will increase, vice versa. The 
occurrence and increase of complements, nevertheless, depend on the costs when compared 
with traditional crimes committed by other means. When costs of traditional crimes 
committed by the means of computers and networks are lower, crimes of this kind will 
increase, vice versa. In this sense, cybercrimes turn out to be traditional crimes facilitated by 
computers and networks. 

Second, information systems are the distinct factor in cybercrime. Li (1993) proposed 
that a computer crime should be defined as a crime relating to “computer information 
systems”. Computer crime, or cybercrime, is by its nature information crime. The definition 
of cybercrime must contain the element of digital information or be a part of information 
systems. But computers and networks are simply the present representative of information 
systems to create, process, transmit, duplicate, exchange, disseminate, modify and destruct 
digital information. The hardware, software, and peripheral devices are only parts of these 
information systems. The development of ICT may simply outgrow the systems’ current 
forms. Whatever the forms we use, however, such a mechanism as information systems will 
remain. 


131 


The terms “computer” or “network” cannot embody the complete scene of information 
systems, nor be expected to point out necessarily to the future of the technology. Many of the 
previous definitions focused on “computer”; and later definitions emphasized “network” as 
well. However, the image of computers and networks is changing; the transformation in the 
future may be faster and greater. It is reasonable to incorporate the term of “information 
systems” into the definition of cybercrime instead of using the terms of “computer” or 
“network”. 

Thirdly, information systems must be in use. Information systems not in use cannot 
facilitate a cybercrime. The term “in use” has to be understood in a broad sense. A computer 
is in use from the time it is purchased as a facility until the time when it is disused and 
disposed as cast-off. The transportation, installation, debugging, examination, reparation, and 
temporary switching off do not cancel the status of being in use. A paid order is enough to 
make a computer in use, because the expected use will influence the decision-making and 
productivity of the user. If such a computer were to be damaged and the schedule of adopting 
such a device delayed, or the expected benefit reduced, the loss of the user would be apparent. 
A network in use also has a similar meaning. Different stages in the whole process of being 
in use have a similar sense but are different in importance. 

In some cases, however, computers are no more than entertainment equipment in a 
victim’s daily life. Where this is the case, the function of the information processing of the 
computer is not particularly emphasized. Then, even if the computer is quite valuable, theft 
or destruction of it should not be regarded as a cybercrime. In KKO:2000:17, the accused, 
who was invited to the victim’s house, took the victim’s portable computer and other devices 
after the victim fell asleep. In I-SHO 13.11.2006 1401, the accused usurped a portable 
computer valued at 880 euros from a shop and sold it to a man at the price of 70 euros, for he 
regarded it as a typewriter. Although the movable property was valuable, nothing about the 
special function of the computers was mentioned in the courts. It is apparent that the offence 
was not committed against information systems “in use” for the purpose of information 
processing, and the loss was of such a nature as to be neglected compared with the value of 
the computers as commodities. 

Fourthly, the roles of information systems in cybercrime are multiple. Information 
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systems can be exploited as media, means, place, route, target, tool of a crime, or used in the 
preparation for other crimes. Exactly as explosives are different from primitive weapons, a 
plane different from other vehicles, information systems are different from many traditional 
facilities. The accompanying conceptions are data processing and transmission, multimedia, 
virtual reality, remote control, online interactive, and so forth. With information systems, 
people are involved in intersensory actions. To highly evaluate the functions of the (current 
and future) information systems is a matter that cannot be overestimated. The equivalent 
applies to the situation of cybercrime, which is committed intersensorily. 

Finally, it is also necessary to point out that, even if we adopt a broad definition of 
cybercrime, the offences merely involving information systems but having nothing to do with 
their functions do not constitute cybercrime. A typical example is the prohibition of import or 
export of computers, software, or technology. Many countries have trade prohibitions of this 
kind so as to maintain the political, military, or scientific competitive priority, and this might 
mean even limiting the public from using such devices. For example, according to the 
Myanmar Computer Science Development Law of 1996, the importing or keeping in 
possession or utilizing any type of computer, or setting up a computer network or connecting 
a link inside the computer network, without prior sanction, are offences punishable by 
imprisonment of 7 to 15 years and a fine. Offences of this kind do not belong to cybercrime 


in terms of this dissertation. 


4.8 Categories of cybercrime 


Cybercrimes can be classified under different definitions and according to different 
standards. Scholars have proposed numerous plans for categorizing cybercrimes. For 
example, Bequai (1979a, pp. 106-107), who originally regarded cybercrime as part of 
white-collar crime, proposed to classify computer crime into five categories, including 
vandalism, theft of information, theft of services, theft of merchandize or other property, and 
fraud. Bequai (1983) thereafter developed his classification into seven categories, including 
financial thefts, frauds, and abuses; thefts of property; abuses of data; unauthorized use of 
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services; vandalism; sabotage, and political and industrial espionage (pp. 17-21). Wasik 
(1991, pp. 41-60) proposed six categories of computer misuse, including unauthorized access, 
computer fraud, unauthorized removal of data or programmes, unauthorized use of computer 
time or facility, and destruction and damage. Wasik (1991, pp. 24-33) put forward three 
levels of relationships between the conceptions of computer crime and white-collar crime: (1) 
corporate crime, (2) occupational crime, and (3) misuse committed by outsiders. To a certain 
extent, this can also be regarded as a classification system. Grabosky (2000) considered nine 
varieties of cybercrime, including theft of services, communications in furtherance of 
criminal conspiracies, information piracy and forgery, the dissemination of offensive 
materials (including extortion threats), electronic money laundering; electronic vandalism 
and terrorism; telemarketing fraud, illegal interception, and electronic funds transfer fraud 
(pp. 3-8). Icove and co workers (1995), Sieber (1996), and many other scholars have also 
proposed various methods of classification. An exhaustive bibliography is neither necessary 
nor possible. However, this section will present a classification method according to the roles 
that information systems play in offences. 

Many earlier definitions of computer crime have already contained some methods of 
classification based on the different roles of the computer in offences. The development 
process is from simple categories to complex categories. The earliest definition contained the 
only category, that is, crime by computer (for example Parker 1976). A subsequent definition 
contained two categories, that is, crime by computer and crime against the computer." 
MacKinnon (1997) classified cybercrime into computer-incidental crimes and 
computer-instrumental crimes, and defined computer-incidental crimes as offences in which 
the computers are merely used “incidentally or tangentially”; computer-instrumental crimes 
involve computers more “directly” as the “tool” or instrument (MacKinnon 1997, p. 210). 
The U. S. Department of Justice (2000) categorized computer crime into crimes in which 
computers are targets, storage devices, and communications tools. Parker and Nycum (1984, 


pp. 313-314) identified four ways of committing criminal acts with computers, that is, the 





'!? Tn the network environment, scholars have also transplanted this category in their research on 


cybercrime. Casey (2000), as cited in Levinson (2002), p. 455, saying that cybercrime can be a 
traditional crime that is committed through the use of a computer or the Internet, or a crime that 
involves particularly the targeting of computer technology. 
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computer as the object, subject, tool of the crime, and the symbol of the computer used in 
intimidation or deception. Carter (1995) divided computer crimes into four categories, 
including offences in which the computer was the target; the computer was the instrument of 
the crime; the computer was incidental to other crimes; and crimes associated with the 
prevalence of computers. Whereas information systems play an increasingly essential role in 
contemporary society, considering that the offences accompanied by information systems are 
being increasingly diversified, we feel that there is a need to expand the categories of 
cybercrime with regard to information systems. In discussing digital extortion, Grabosky 
(2000) has listed the roles of information systems as media for threat, targets of threatened 
action, media for disclosure of embarrassing personal details, means of facilitating payment, 
and incidental to the offence (pp. 34-50). All these discussions prove that information 
systems can play a variety of roles in offences. 

In the following sections, I will expand the roles of information systems in cybercrime 
and divide cybercrime into seven categories. Information systems can be target, tool, media, 
route, place, and means of crimes and can be used in preparation for other offences. In 
previous literature, the dichotomy recognized the roles of information systems used to be 
summarized as target and tool (or termed instrumentality). The term “tool” or 
“instrumentality” has been used in an unlimited broad way. In practice, the roles that 
information systems can play are far more abundant than merely being a tool or an 


instrumentality. 


4.8.1 Information systems as a target of the offence 


“Computers are targets” is a subtitle in Bequai (1983, pp. 7-11). At present, we can 
roughly assert that the whole information systems are targets. In a certain sense, information 
systems can be regarded as networked assets (Wells and Sevilla 2003), including tangible 
assets and intangible assets, hardware and software, intra-national assets and international 
assets. Networked assets are a kind of combinative assets existing in cyberspace. Furthermore, 


networked assets are dynamic, existing in the process of production, which constitutes a kind 
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of production management, for example, covering activities that can be included in the field 
of electronic commerce. 

The economy, national security, politics, military affairs, science and technology, 
education and medicine increasingly depend on the Internet, through which information is 
created, stored, transmitted and processed. When information security is threatened, the 
whole country will suffer great losses. 

The Internet is vulnerable to artificial attacks, some of which belong to traditional 
crimes, for example, cutting off the electricity supply, destroying cables, moving antennae 
used in satellite communications; and more traditional crimes, for example, destruction of 


computers and peripheral facilities. '”° 


Nowadays, these actions are not uniformly regarded as 
cybercrime. Cybercrime against the Internet mainly exploits computer technology. The most 
typical attacks are through computer viruses and other malicious programmes. There has 
already been a long list of instances of serious viruses. 

In fact, sometimes computers and networks have the nature of both instrument and 
target. For example, an attack on the Internet must be launched through the Internet itself. As 
mentioned above, these classifications are not mutually exclusive. Rather, they can be carried 
out in a compatible way. The perpetrator’s Internet resources are more likely to be used as 
instruments, while that of the others are more likely to be aimed at as targets. The Internet is, 
however, composed of huge indivisible systems that can be both exploited or attacked. 

I should also emphasize that, “the stealing of computers, computer chips and other 


computer equipments from commercial premises” as in R. v. Kehoe and Others,'*! 


might 
seem not so relevant to our discussion at first glance. However, a natural result of these 
activities is that a computer-aided business and computer-processed data may be damaged, 
and thus it remains a cybercrime in our sense. Taking into account the disabling of the 


functioning of whole information systems, and the loss of information in internal memory 


media, thefts of computers and their parts represent more than illegal access to the systems 





'0 These were regarded as computer crimes in books published several years ago. For example, Icove 


and co-workers (1995), saying that “Terrorist bombings on buildings housing computer equipment, 
arson, and theft and destruction of computer equipment fall into this category.” 

'"! Tt has been dubbed a “highly sophisticated and successful criminal enterprise,’ what one of the 
perpetrators confessed as that “Computer crime is what I do.” [1998] EWCA Crim 1163 (1* April, 
1998). See also Section 6.3. 


136 


and information. For instance, in Investigation into Security of Personal Information Held by 
Vancouver Coastal Health Authority’s Employee and Family Assistance Programme, the thief 
stole from the office of manager of the administration a desktop computer containing a 
database of approximately 11,000 clients. ‘77 


> where the victim was robbed of 


A different situation appeared in R. v. Moseley, 
property, including “computer and electrical equipment, a rucksack and a personal organiser, 
and cash cards.” In THO:2005:28, two portable computers were found at the accused’s two 
residences. The charge and the conviction against the perpetrator mentioned nothing about 
the particularity of the computer and the information inside it. The computer here is nothing 
more than a target of traditional robbery—no information systems were interrupted, and no 
information was destroyed or disclosed. 

In addition, the term information systems is used here in a broad sense as referring to 
information systems and the information in them. In practice, these two conceptions are 
usually used separately. For example, in the U. K., the Computer Misuse Act 1990 has been 
assigned the principal function of defending the integrity of the systems but not of 
information, while the latter task falls on the Data Protection Act 1984. A 

Offences in which information systems are targeted roughly cover: 

5 


. : : 12 
1. Unauthorized access to information systems, 


2. Unauthorized access to information, !”° 





'2? Investigation into Security of Personal Information Held by Vancouver Coastal Health Authority's 
Employee and Family Assistance Program, Re, 2006 CanLII 20511 (BC LP.C.). 

"3 [1999] EWCA Crim 1089 (21“ April, 1999). 

'°4 DPP v. Bignall [1997] EWHC Admin 476 (16 May 1997) 

"5 This has been criminalized by Convention on Cybercrime, Article 2; the Danish Penal Code Article 
263, Section 2; the Finnish Penal Code Article 28; the Swedish Penal Code, Chapter 4, Section 9c. In 
United States v. Sablan (Ninth Circuit No. 94-10533, D. C. No. CR-94-00017-JSU, 7 August 1996), 
the accused has recently been dismissed from a bank. After some drinking, she used a key she had kept 
and went to her former work site, where she used an old password to log into the bank’s computer, 
modified or deleted several files, and then logged off. 

'6 Tn legal instruments, illegal access to information system and illegal access to the information in 
the system are usually linked together, neglecting their obvious difference. In the Convention on 
Cybercrime, Article 2, illegal access to information was the purpose of illegal access to an information 
system. A similar provision is seen in the Danish Penal Code Article 263, Section 2. the Finnish Penal 
Code distinguishes between these two acts, dealing with illegal access to information in Article 38. 
See also the Swedish Penal Code, Chapter 4, Section 9a. In United States v. Czubinski (First Circuit 
No. 96-1317, 21 February 1997), the court reversed the original conviction, which was based on the 
accused's “unauthorized browsing of taxpayer files” with his valid password, even though he was 
required to access only accounts needed to accomplish his official duties. 
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3. Unauthorized alteration of information,'”’ 

4. Unauthorized interruption of information systems, * 

5. Attack by viruses, worms, logic bomb, Trojan horse, and other malicious 
programmes, ”” 

6. Theft of computer time, network time, or telecommunications services, a specific 
form of illegal access, 

7. Possession, disclosure and providing unauthorized persons with unauthorized 
information; or unauthorized possession, disclosure and providing unauthorized persons with 
30 


information, both being the extension of illegal access to information. 


8. Unauthorized interception of communications.'*! 


4.8.2 Information systems as a tool of the offence 


The offences in which computers and networks are utilized as tools have the longest 
history in computer crime (Parker 1976; Bequai 1978). Networks are widely interconnected 


outside the limits of time and the boundary of space. As society is becoming more dependent 





'°7 Convention on Cybercrime, Article 4, providing computer-related fraud through inputting, altering, 
deleting or suppressing computer data, interfering with the functioning of the computer system. It 
covers both alteration of information and influence on the information system. See also the Danish 
Penal Code, Article 291; the Finnish Penal Code, Articles 33 and 35; the Swedish Penal Code, Chapter 
12, and when the acts involve public danger, Chapter 13, Sections 4 and 5. In United States v. 
Magnuson (Fourth Circuit No. 964957, D. C. No. CR-96-186-A, 24 June 1997), the accused used his 
home computer to intrude into and disable the victim’s computer servers in seven states. 

8 Convention on Cybercrime, Article 5. See also the Danish Penal Code, Article 193; the Finnish 
Penal Code, Article 35; the Swedish Penal Code, Chapter 12, and when the acts involve public danger, 
Chapter 13, Section 4 and 5. 

29 Convention on Cybercrime, Article 6. See also Danish Penal Code, Articles 193 and 291; Finnish 
Penal Code, Articles 33 and 35; Swedish Penal Code, Chapter 12, and when the acts involve public 
danger, Chapter 13, Sections 4 and 5. In United States v. Sullivan, (Fourth Circuit No. 01-4330, 25 
January 2002), the perpetrator planted a logic bomb into the software prepared for the company before 
he quit. Four months later, the logic bomb disabled hundreds of hand-held computers used by the 
company's sales representatives to communicate with headquarters. 

'30 Tn the United Sates v. Pitts (Fourth Circuit No. 97-4616, 28 January 1999), the accused, who "was 
trusted with access to very sensitive and highly classified materials related to counterintelligence 
operations, surveillance of Soviet officials assigned to the United Nations, and the true identities of 
American agents and Soviet defectors", "attempted to provide or made preparations to provide his 
undercover FBI handlers with computer diskettes containing information classified as 'Secret'’..." 

51 Convention on Cybercrime, Article 3. See also the Danish Penal Code, Article 263; the Finnish 
Penal Code, Article 38; the Swedish Penal Code, Chapter 4, Section 8. 
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upon computer data processing and the telecommunications systems. With the Internet, 
crackers intrude into others’ computers, web sites, e-mail accounts of individual and 
organizational users whose data, secrets, privacy and electronic property are stored there. 

Under these circumstances, the Internet is becoming the instrument by which 
perpetrators commit not only traditional crimes but also new crimes. It is not only the 
instrument by which people commit crimes, but also the instrument through which people are 
victimized. In using the Internet, some people unwittingly break the law, while others are 
unwittingly harmed by crimes. Definitely, under more circumstances, perpetrators 
intentionally use the Internet to commit criminal acts. Therefore, the crackers who intrude 
into others’ cyberspace through wired or wireless connections to the Internet are violating 
others’ privacy, plundering others’ data, stealing others’ secret information, and embezzling 
others’ property. 

This kind of cyber instrument contains both the similarities and the differences from the 
traditional instruments. The case where one opens others’ e-mails by a password, then marks 
it as unread and exits, is comparable to the case where someone opens one of the letters of 
another with a knife, and then seals it with glue. They both constitute an infringement of 
freedom of correspondence, but the concept of instrumentality is different. The instrument of 
the Internet bears with it the characteristic of a remote control, in which the criminal is not 
necessarily present in person at the crime scene where the letters exist, and does not 
necessarily leave footprints or fingerprints. The traditional notion of crime scene also changes 
because of this instrument. 

Offences in which information systems are used as tools roughly cover: 


1. Forgery and counterfeiting, *” 





'S? The Convention on Cybercrime specifies the criminalization of computer-related forgery, as an act 


committed through inputting, altering, deleting, or suppressing data. In the national domain, these 
crimes induce no obstacle to applying traditional law, for example, the Finnish Penal Code, Article 33 
can be applied to computer-related forgery. For example, in R. v. Lloyd ({[1996] EWCA Crim 1744 
(17 December 1996)), the accused was found using a computer with programmes for manufacturing 
compact discs , a compact writer and blank compact discs to replicate computer programmes. In R. v. 
Boutrab ((2005] NICC 36 (24 November 2005)), the accused used a false passport with the intent of 
inducing an employee to accept it. In R. v. Adeoye & Anor ([1997] EWCA Crim 1343 (3 June 1997)), 
the perpetrator used computer programmes to produce credit cards from plastic blanks. In search, “the 
police found a printout containing 10,000 credit-card numbers produced by a computer programme.” 
In RovHO 12.06.2001 335, the three suspects, with the assistance of the computer, forged identity 
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2. Computer-aided unauthorized copy of software and other copyrighted works, '** 


3. Telecommunication piracy, 
4. Fraud using information systems, '*° 


5. Password sniffering and keylogging.'*° 


4.8.3 Information systems as a medium for the offence 


As a form of media, computer networks have their advantages over the traditional media. 
They surpass the limits of time and space, languages and traffic, and political and legal 
boundaries. The Internet enables people to “upload, post, e-mail, transmit or otherwise make 
available content that is unlawful, harmful, threatening, abusive, harassing, tortuous, 


defamatory, vulgar, obscene, libellous, invasive of another's privacy, hateful, or racially, 
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ethnically or otherwise objectionable. In fact, racist speech, tutorials for killing, raping, 


arson, bomb-making and even instructions for virus creating, malicious programme writing, 
and other forms of cyber attacks are widespread on the Internet. Various degree of political 


cards used for the unauthorized users to watch television programmes transmitted by a company. 

'33: See for example, R. v. Johnstone ([2003] UKHL 28 (22 May 2003)), in which the accused pirated 
recordings and made compact discs and audio cassettes. In THO:2006:6, the accused was said to have 
made, without the permission of the right holder, 381 karaoke CDs in order to make a profit through 
using them in the karaoke business. In KouHO:2005:11, the co-defendants cooperated to make and 
sell DVD copies without the permission of the right holders. 

'* Tn United States v. Clayton (Ninth Circuit No. 96-10127, 11 March 1997), "cloning" was practised 
by the perpetrator to replicate the stolen identification numbers of legal mobile phones with the help of 
computer software; they were then used to make calls at the expense of the owner of the legal phone. 
See also United States v. Cabrera (Eleventh Circuit Nos. 98-4432, 98-4434, D .C. Nos. 
96-CR-562-DLG, 98-CR-77-DLG, 19 April 1999), where the accused used a small device named 
“copy-cat” to clone cellular phone. 

'S Tn R. v. Russell ((2001] NICA 45 (12 October 2001)), the accused used a computer identification 
number and password to access confidential files in the computer system, identifying persons that he 
considered likely to claim any type of benefit, and gathering names, addresses and national insurance 
numbers. After this, he passed the information to a co-offender to make false claims for fraudulent 
benefits. In R. v. Farkas (2006 ONCJ 121, 10 April 2006), the accused made a profit of 45,000 dollars 
from victims in the U. S., Canada, and England through fraudulently acquiring goods and fraudulently 
selling them over a period of 18 months via the Internet purchasing and auction. During the fraud, he 
obtained credit-card information through on-line chat groups and bulletin-board systems. He sold 
these goods to legal collectors, during which he received money but did not send the goods to the 
purchasers. 

'8° Tn United States v. Ropp (C. D. California, 7 October 2004), the accused placed a keylogging 
device on the cable that connected the victim’s keyboard to her computer's central processing unit, 
recording and storing what the victim typed with the keyboard. The indictment was dismissed, but the 
court made it clear how keylogging works. 

'57 See Yahoo! Terms of Service. Retrieved 15 March 2007, from http://docs.yahoo.com/info/terms/ 
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incitement, libel, rumour and superstition crowd up to mislead the public, going even further 
than the traditional media. Many countries are confronted with web sites managed by 
separatists, dissidents, and international opposition forces. These web sites always publish 
their opinions that are harmful to their government but beneficial to themselves. Now, 
information of this kind is being practically exported and imported across national borders at 
the speed of light. 

One of the notable problems is slander, the false statements that come across the 
innovative online media injuring others’ reputations by publishing false statements. The 
forms of such slander mainly include impersonating others to solicit sex mates, one-night 
lovers, publicizing others’ telephone numbers, and fabricating photos by inserting the photos 
of other persons into pornographic photos, etc. 

In addition, the online content may cause an international concern, such as racist and 
xenophobic material, that is, “any written material, any image or any other representation of 
ideas or theories, which advocates, promotes or incites hatred, discrimination or violence, 
against any individual or group of individuals, based on race, colour, descent or national or 
ethnic origin, as well as religion if used as a pretext for any of these factors.” '** 
Offences in which information systems act as media roughly cover: 

1. Dissemination of obscene material, in particular child pornography, mee 


2. Dissemination of racist and xenophobic material through computer systems, “° 





'88 Additional Protocol to the Convention on Cybercrime Concerning the Criminalization of Acts of a 
Racist and Xenophobia Nature Committed through Computer Systems, Strasbourg, 7 November 2002, 
Article 2. 

8° In United States v. Slanina (First Circuit, No. 00-20926, 12 February 2002), the accused was 
convicted of using a city computer to access newsgroups and download pictures of child pornography. 
In R. v. Kozun (2007 MBPC 7), the accused distributed child pornography through his own personal 
computer, in which a programme converted the computer into an automated trading centre on the 
networks. The police found 3522 files (3368 pictures and 154 movies) in his computer that could be 
considered as child pornography and available for trade. The age-range of the children involved was 
between 8 months and 14 years. In Alan Joseph Ogilvie v. Her Majesty’s Advocate [2001] ScotHC 69 
(27th July, 2001), the accused downloaded from the Internet 12,000 images of child pornography onto 
his first computer and upon its confiscation, he downloaded a further 10,000 images of the same 
nature into his newly-bought second computer. In the Convention on Cybercrime, Article 9 
criminalizes offences related to child pornography. 


‘4° Tn the Additional Protocol to the Convention on Cybercrime, Concerning the Criminalization of 
Acts of a Racist and Xenophobic Nature Committed through Computer Systems (2003), Article 3 
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3. Online false statement about individuals or corporations, “! 
4. Indecent exposure, “” 


5. False advertising, 


6. Disclosure of confidential information. !” 


4.8.4 Information systems as a route to the offence 


Cybercriminals can launch attacks from any computer in different jurisdictions. The 
continued development of techniques and skills for attacks makes it more difficult and 
complicated to investigate and prosecute these crimes (McConnell International 2000, pp. 
1-2). Information systems can be used to transmit various malicious programmes that have 
the capacity to disrupt, destroy or limit the functions of information systems. For crackers, 
using software tools installed on a computer in a remote location, can illegally access to 
computer systems to obtain data, plant viruses or Trojan horses, or cause less serious mischief 
by changing user names or passwords. As to spies, corporations and governments are 
committing espionage through the superhighway of the world’s Internet. Espionage can 


penetrate the best security systems and the highest levels of management in cyberspace. 





criminalizes dissemination of racist and xenophobic material through computer systems, Article 4 
criminalizes racist and xenophobic motivated threat, Article 5 criminalizes racist and xenophobic 
motivated insult, Article 6 criminalizes denial, gross minimization, approval or justification of 
genocide or crimes against humanity, and Article 7 criminalizes aiding and abetting. 

'*' Defamation, including libel and slander, can be dealt with either civilly or criminally, in different 
jurisdictions. In the U. K., many cases have been settled in civil actions, for example, Godfrey v. 
Demon Internet Limited [1999] EWHC QB 244 (26th March, 1999) , where the accused party hosting 
a newsgroup in the U. S. published a piece that was “squalid, obscene and defamatory of” the victim; 
Robertson v. Newquest (Sunday Herald) Ltd & Ors [2006] ScotCS CSOH_97 (28 June 2006), where 
the defendant, a newspaper, which had an online edition, in which a notice was considered of a 
defamatory nature by the plaintiff was posted by a member of public; in Turner v News Group 
Newspapers Ltd. & Anor [2005] EWHC 892 (QB) (12 May 2005), the co-defendants, including one of 
the victim’s former wives and a newspaper published an article on how the victim pursued sex with 
strangers in both printed and online forms. 

“ Tn Robertson v. Her Majesty's Advocate ([2004] ScotHC 11 (17 February 2004)), the perpetrator 
induced a seven year old girl to dance naked in front of a webcam and lick her private parts in front of 
said webcam, inter alia (paragraph 9). 

* In Edward Yearly v. Crown Prosecution Service ([1997] EWHC Admin 308 21 March 1997), the 
perpetrator published confidential information that he obtained by unauthorized access. There have 
been numerous cases of such a nature in recent years in the U.K., for example, Grimm (2005, p. 598) 
reported that 140 applications for the National Institutes of Health (NIH) grant had been leaked on to 
open access web pages. 
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Pirates, in their turn, can perfectly reproduce and easily disseminate text, audio, video or 
multimedia works by using digital technology (Grabosky 2000, p. 8). Some web sites are 
devoted to “charities” of this kind, similar to providing relief for the poor, who cannot afford 
expensive software, and thus the market of piracy acts as a solution to satisfy these users. The 
Internet has increasingly been exploited to distribute pirated works, with the development of 
new file-sharing techniques. 

In the case of illegal access to others’ web sites, the intruders may view no document, 
but usually view encrypted or unencrypted documents, obtain documents, read or delete 
e-mails, reveal documents to others, destroy files and make the systems inoperable, or use 
others’ accounts to connect with the Internet. The attacks on web sites are growing in 
intensity. According to the data of the previous Alldas web site, forty-seven attackers defaced 
72 web sites in 1998, about 430 attackers defaced 1,079 web sites in 1999, about 2,555 
attackers defaced 4,394 web sites in 2000, and in the first quarter of 2001, about 667 attackers 
defaced 4,797 web sites, a number greater than the victimized web sites of the previous year. 
Among these cases, the first 15 attackers who defaced at least one percent of the defaced web 
sites, did one-third of the defacement. The first eight top domain names of the mostly defaced 
web sites were: “.com,” “.br’, “net”, “.cn”, “tw”, “org”, “.edu”, and Shige Although the 
similar source is at present unavailable and several years has passed, this old information 
indicates that the web sites in the Asian Pacific region rather than Europe are the most likely 
to be defaced. 

The computer systems of national defence of various countries are also the primary 
targets for hackers. In some cases, the passwords of these agencies were successfully cracked, 
and other secret information was obtained and disclosed. 

Offences in which information systems act as a route roughly cover: 


1. E-mail bombing,'* 





'* These data are obtained and calculated from http://alldas.de by the author in 2001. Later the web 


site became unavailable. 

‘4S For an explanation of e-mail bombing and other e-mail related crimes, see Planet India Website, 
E-mail Related Crimes, n. d. Retrieved 15 March 2007, from 
http://cybercrime.planetindia.net/email_crimes.htm. There, the E-mail bombing is defined as “sending 
a large amount of emails to the victim resulting in the victim's email account (in case of an individual) 
or servers (in case of a company or an email service provider) crashing.” 
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2. Harassment through electronic communication, “° 


3. Identity theft and cyberstalking, 

4. Denial of service attacks (cyber terrorism), 

5. Distribution of pirated software, books, magazines, audio, video or live performances, 
etc., 


6. Infringement of industrial secrets and state secrets, 


7. Transmission of child pornography. <i 


4.8.5 Information systems as a place of the offence 


In the information age, much of the money, assets, state secrets and personal privacy are 
transformed into computer data and stored in computers, or circulated through the Internet. 
Meanwhile, networks become a giant gallery of pornography, or a gambling house. Networks 
do not have value orientation, have no culture, have no legal consciousness, but the 


information stored and the activities taking place are either protected or prohibited by law. 





' See, for example, R. v. Jonhson (Johnson, R (on the application of) v DPP [2005] EWHC 3123 
(Admin) (8 December 2005)), the accused used both traditional mail and electronic means to harass 
the victim. He searched the home address of the victim through the Internet, and sent letters or e-mails, 
harassing the victim directly, or sent letters or e-mails to the employer of the victim questioning her 
conduct, harassing her indirectly. This behaviour not only affected the victim herself, but also her 
family and others. In R. v. Debnath ((2005] EWCA Crim 3472), the female perpetrator harassed the 
male victim by sending fake e-mails to his fiancée and employer; by registering the victim on a web 
site for people with sexually transmitted diseases seeking sexual liaisons; and by setting up a web site, 
which had fake information detailing alleged homosexual practices by the victim, and so forth. In X v. 
European Central Bank ((Officials) [2001] EUECJ T-333/99 (18 October 2001)), the perpetrator 
repeatedly procured through the Internet documents of a pornographic and political nature and, of 
having sent them to third parties through e-mails, sent his colleague numerous messages through 
e-mails containing pornographic and ideologically extreme materials, despite the disapproval of the 
colleague concerned. 

''7 Tn KKO:1999:115, the accused allowed e-mail users to copy computer programmes from the 
mailbox. The mailbox could be viewed as a deposit place, but the software was transferred through 
information systems. 

'*8 In United States v. Muick (Seventh Circuit No. 97-CR-30004, 8 February 1999), the American 
defendant used telephone and modem to download child pornography from a computer in Mexico in 
1994, when the Internet was not pervasive. In R. v. Treleaven (Provincial Court of Alberta, 2006 
ABPC 99, No. 060138286P1, 24 April 2006), the accused possessed 20 gigabytes of child 
pornography files which were identified depicted real children of both genders. While the police 
arrested him, his computer was still online, with dozens of other users queuing up to access the 
pornography. 
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Furthermore, the “place” of networks is trans-territorial outside a unified legal system. 
Aggressions and harm take place at the terminals, which seems to be the only place where the 
crimes occur. 

Factually, this is contradictory brought about by the special characteristic of the “place” 
of network. When the Internet is used to facilitate gambling, pornography, prostitution or 
trading in prohibited drugs, it become a cyber casino, a cyber brothel, a cyber museum or a 
cyber storehouse. 

Definitely, the Internet cannot be a real place for prostitution, but it facilitates the 
provision of and spread of information about prostitution to unspecified third parties. The 
Internet can also be a convenient marketplace for pirated software, books, pictures and audio 
discs and videodiscs. People also transact prohibited articles as well as prescribed medicine, 
including weapons, drugs, and philtres. Advertisements for the transaction of human organs 
also appear on the Internet (Li 2003). 

In some countries, it is prohibited to create, replicate and spread pornography, either 
adult or child, either online or offline. In addition, downloading and browsing pornographic 
web pages is illegal as well. In some other countries, however, adult pornography is legal. 
The conflict of jurisdiction may also take place in gambling and prostitution, drug trafficking, 
money laundering, and trade in weapons and even human trafficking. It is beyond the reach 
of domestic laws. More than ever before, the conflicts of criminal jurisdictions have become 
a serious concern. Thus in the face of the Internet, state control is diminished and criminals 
can launch attacks from another country where law enforcement is absent. 

Furthermore, the Internet is likely to become the battlefield where cyber warfare takes 
place. The cyber-war criminals should be held liable for offences comparable to those 
punished by present international criminal law. 

Offences in which information systems appear as crime scenes roughly cover: 

1. Intellectual property infringement, as 


2. Collection and exhibition of child pornography, '°° 





' Convention on Cybercrime, Article 10 criminalizes offences related to infringements of copyright 
and related rights. 

'S° The hard drive and other deposit media can easily save thousands of images. In R. v. Paton (2005 
NUCJ 7), the accused saved approximately two thousand images of children in the hard drive of his 
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3. Sale of illegal articles (such as fire arms, alcohol, prescriptive drugs and other 
controlled substances),!° : 
4. Online (illegal) gambling, 


5. Fraud on the Internet (such as Internet auction fraud, multi-level marketing fraud). 


4.8.6 Information systems as means of the offence 


Computers and networks can also be a means in offences such as assault, threat, 
harassment, creating a false alarm, spam and fraud through text, audio or video information. 
Information systems are used as a means of communications in these cases. The comparable 
traditional mechanism is the postal system and telephone system. Dissidents have found ways 
of using e-mail and WWW as both media and means to air effectively their political 
grievances. As to information systems as a means, the e-mail and WWW simply play the 
function of a post office or a telephone company. Information can be exported from one part 
of the globe, where it is not necessarily illegal, to a state where possession of such data is 
criminalized. The e-mail and WWW also provide dissidents with an uncontrollable means of 
communication between their domestic and overseas comrades. This has implications for the 
freedom speech of citizens and the state stability of related countries. 

Offences in which information systems act as a means roughly cover: 


1. Electronic extortion, harassment, creating a false alarm, threatening, and assault, !° 





computer. In United States v. Long (Seventh Circuit No. 04-1721, 22 February 2005), the accused 
saved tens of thousands of images of child pornography on a computer that he kept at work (p. 1); 
while in the United Stated v. Newson (Seventh Circuit No. 03-3366, 5 April 2004), the perpetrator 
saved child pornography (pictures of his daughter and his ex-girlfriend’s daughter) in his own 
computer. In R. v. Reynolds & Ors ((2007] EWCA Crim 538 (08 March 2007)), the police found in the 
computer equipment a total of “1,757 still photographs and eight movies at level 1; 1404 stills and 46 
movies at level 2; 54 stills and 2 movies at level 3; 22 stills and one movie at level 4; and 7 stills at 
level 5.” 

Sl For example, in R. v. Hamilton, 2005 SCC 47, Docket: 30021, over the Internet the accused sold a 
package of 200 files, about 5 of which “contained material relating to constructing bombs, breaking 
and entering, and ‘visa hacking’,” one of which “contained information on a credit-card number 
generator” (paragraph 2). 

'S? Tn United States v. Ray (Eighth Circuit, No. 05-1655, 15 November 2005), the perpetrator sent 
e-mails to a company to extort 2.5 million US dollars by threatening to exploiting a breach in its 
computer security (p. 1). In R. v. Lefave (Ontorio Supreme Court of Justice Court File No. 
CrimJ(P)6527/02, 3 October 2003), during an Internet chat between a woman and a man, the man who 
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2. E-mail spoofing (phishing).'™° 


4.8.7 Information systems used in preparation for other offences 


Information systems are increasingly being used to prepare for further offences. These 
offences include both cybercrimes and traditional offences. More and more traditional 
offences against person or property seek assistance from information systems. Wasik (1991) 
stated that “it is certainly conceivable that a computer may be used as the means of bringing 
about a person’s death or causing physical injury,” with associated offences including 
destruction and damage, denial of access to authorized users, death, physical injury, and 
endangerment, blackmail, corruption, official secrets, etc. (p. 150) Perpetrators frequently 
exploit information systems in two ways. One is that perpetrators conspire through the 
Internet (for example Guo and Wang, Great River Newspaper, 29 July 2003). Other cases 
have also involved conspiracy to commit robbery, abduction, and so forth. The second 
manner of exploitation is that the perpetrators pursue victims through the Internet. The most 
common cases involve robbery, abduction, murder, blackmail, and rape (for example, Geng, 
Pingliang Daily, 27 February 2003). 

Cybercrime is a topic covering a very wide scope. Almost all the traditional crimes, 
including murder and arson, can be committed with the assistance of computers and networks. 


To call these crimes cybercrime is not inappropriate, and consideration of the use of 





later became the accused stated that he "wanted to rape his seven year old daughter and kill himself." 
The woman disclosed the concerns to the police. He was charged with communicating a threat using a 
computer. 

' Phishing “consists of creating fictitious domain names and websites all with a view to extracting 
bank account details from gullible individuals.” See Novus Credit Services Inc v Discover Financial 
Services LL C [2006] DRS 03205 (27 January 2006). Through phishing site, the perpetrator can obtain 
“key personal details from users of the webpages to which those domain names resolved” 
“fraudulently” (See Alliance & Leicester PLC v Brawn [2006] DRS 4135 (18 December 2006)) or the 
perpetrator may acquire “confidential financial information inappropriately” (See Royal Bank of 
Scotland Group PLC v Laverio [2006] DRS 3953 (16 October 2006)). In United States v. Desir 
(Western District of Pennsylvania, 2005), the accused devised a scheme to defraud through fraudulent 
web sites, persons who believed they were dealing with web sites of legitimate institutions, and online 
auction and payment services. E-mail spoofing can also be used in e-mail bombing. For example, in 
United States v. Carlson (Third Circuit No. 05-3562, 12 December 2006), the accused launched two 
types of e-mail attacks: direct attack, in which he directly sent thousands of e-mails from different 
addresses to one address to flood it; and indirect attack, in which he sent one e-mail from one address 
to thousands of different addresses, but the sending address was the one that he spoofed. 
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computers and networks into research of these crimes is also necessary. 

However, this dissertation studies cybercrimes with unique characteristics, specifically, 
the crimes relating to security, including the security of information systems, the security of 
e-commerce, and the security in which information systems serve a critical infrastructure. 
Although murder and arson are also tied up the issue of security, for example, the security of 
life and health, public security, property security and so forth, they are neither unique to the 
information society nor do they have special features. The crimes discussed in this 
dissertation are limited to those in which information systems play a unique role, as either 
target, tool, route, place, medium, means, or they are used in preparation for other crimes. 
Other crimes may be referred to when necessary in discussing these crimes. 

Offences in which information systems are used in preparation for other crimes cover a 
broad range, but the most usual ones roughly cover: 

1. Communications in furtherance of criminal activity or criminal conspiracy, '~* 

2. Electronic money laundering, 

3. Online tax evasion, 


'S4 Th R. v. Poon and Wong, 2006 BCSC 1824, Docket: 23635, four offenders abducted a victim from 
whose family they requested a ransom, during which they sent proof-of-life photographs through the 
emails to the victim’s family or friends (paragraph 15). In R. v. Kwok, 2007 CanLII 2942 (ON S.C.), 
Docket: P134/06, from the computer of the accused were revealed of about 2000 images and 60 video 
clips of child pornography. Along with these materials was recovered written material of “graphic 
chatroom conversations between paedophiles about how much they enjoy sexually abusing young 
children and babies and about where pictures and videos of such activity can be obtained.” (paragraph 
1). In R. v. O’Brien (2002 YKTC 94, Docket: 02-00176A * 02-00305), the accused used pagers, cell 
phones and computer internet email to communicate with cocaine suppliers and_ other 
associates(paragraph 4). In R. v. Brown, 2006 CanLII 12302 (ON S.C.), Docket: C44863, the accused 
used e-mail and other online communications to contact a girl on the age of 13, with the intent making 
her leave her family. In United States v. Christopher Lee Adjani; Jana Reinhold (No. 05-50092 D. C. 
No. CR-04-00199-TJH-01 OPINION, 13 January 2006), the accused were charged with conspiring to 
commit extortion and transmitting threatening communications with intent to extort, based partly on 
the incriminating e-mails seized in their computers (p. 7581). In R. v. Taylor and Burin ({[1997] EWCA 
Crim 1074 (2 May 1997)), Burin made checks on the Police National Computer to obtain the address 
of the owner of a car (usually one he had recently sold to the new owner) and passed the information 
to Taylor to use it to steal the car. Burin also modified information so that stolen vehicles would appear 
to be recovered, enabling Taylor to possess stolen cars. In the U. K., Section 58(1) and (2) of the 
Terrorism Act 2000 provides that possession of a computer file of a particular nature is likely to be 
punished, even if it is freely downloaded from the Internet: 

“(1) A person commits an offence if — 

(a) he collects or makes a record of information of a kind likely to be useful to a person 
committing or preparing an act of terrorism, or 

(b) he possesses a document or record containing information of that kind. 

(2) In this section "record" includes a photographic or electronic record.” Some cases have been 
punished according to this act, for example, R. v. Boutrab ((2005] NICC 36 (24 November 2005)). 
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4, E-mail spoofing (phishing). 


5. Child exploitation.’ 


4.8.8 Conclusion 


It is worth noting when I classify the potential roles of information systems in 
cybercrime or other crimes, I do not consider them as separate ones. As it has already been 
noted that, these roles can possibly be separated, found to be overlapping, or integrated in one 


'56 the accused used his own 


and the same case. For instance, in McKinnon v USA & Anor, 
computer to access illegally 97 computers of the U. S. government, installing remote control 
software, acquiring IDs and passwords, and deleting data from these computers. He even left 
a message expressing his interest in hacking these computers. Here, his own computer is a 
tool, the Internet is a route, and the U. S. governmental computers and the data in them are 
targets, and so forth. In R. v. bo,’ the accused took the minor female victims to the 
computer and behaved indecently while chatting online with women, during which he also 
touched the victims inappropriately on the breasts and vagina, showing them online 
pornography.'° ® The roles of information systems in such cases are multiple. 

In drafting legislation, it is also hard to give a clear-cut division between the different 
roles of information systems or of the part of it relevant in detailed offences. If any efforts are 
to be made for determining such a borderline, for example, one of the most puzzling 
situations will be met with in an offence relating to cybercriminal devices, particularly 
unauthorized possession, transaction, transmission, and utilization of passwords. 1? The 
passwords can be regarded both as a target, being a part of information systems, and a tool, 


for illegal access to the other part of information systems, in the same offence. 





155 Ror example, in United States v. Meek (No. 03-10042, 12 January 2004), the accused used the 
instant messenger to lure a child into a sexual encounter. 

'S° [2007] EWHC 762 (Admin) (03 April 2007). 

'57 [2006] NICA 7 (10 March 2006). 

'88 ibid., paragraph 9. 

'S? Such conducts are criminalized in the Convention on Cybercrime as Misuse of Devices (Article 6). 
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4.9 Clarification of relevant conceptions 


After reviewing previous definitions and providing a role-oriented definition, the current 
section will turn to clarify some relevant conceptions that are usually used to describe the 
characteristics of cybercrime. The definition of cybercrime has long been a pending question 
with regard to the existing criminological theories. The alternatives have been abundant and 
there have been a controversial exploiting of different theories by different researchers with 
different standpoints or with different empirical proofs. The concepts involved in this field 
include white-collar crime and economic crime, etc. The following paragraphs are designed 


to clarify the relationship between cybercrime and some of these concepts separately. 


4.9.1 White-collar crime 


Unlike most other criminal phenomena that bear traditional names, the conception of 
white-collar crime was coined by Edwin H. Sutherland in 1939 '® and defined 
“approximately as a crime committed by a person of respectability and high social status in 
the course of his occupation” (Sutherland 1949, p. 9). The historical development of and 
theoretical disputes over the patterns of white-collar crime have created many different 
definitions (Friedrichs 1996, pp. 2-11). Yet many are still making efforts to express their new 
understanding about the phenomenon (ibid., pp. 6-7; Helmkamp, Ball, and Townsend, 1996). 
The theories involved differ in emphasizing certain characteristics of white-collar crime such 
as “commission in a legitimate occupational context, respectable social status of perpetrators, 
presence of calculation and rationality (with economic gain or occupational success a primary 
goal), absence of direct violence, offenders’ noncriminal self-image, deterrence of and, a 
limited criminal justice system response.” (Friedrichs 1996, p. 6, citing different sources) 


Debates among criminologists also extend to the terminology, definition, and other issues 





'©° Geis and Goff stated in an introduction to the 1983 version of Sutherland’s book “White-Collar 
Crime” that “The thirty-fourth annual meeting of the American Sociological Society —convened in 
Philadelphia in 1939 during the academic recess between Christmas and New Year- was held jointly 
with the fifty-second gathering of the American Economic Association...Sutherland’s talk was entitled 
‘the While Collar Criminal,’ and it altered the study of crime throughout the world in fundamental 
ways by focusing attention upon a form of lawbreaking that had previously been ignored by 
criminological scholars.” (p. ix) Therefore, Sutherland initially coined the term “white-collar crime” in 
1939, published the paper in 1940, and published the book in 1949. 
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(ibid., pp. 6-7). 

The proposal for a concept “white-collar crime” was prior to the invention of the 
computer and the establishment of computer networks in the present sense, and most 
certainly before the emergence of computer criminal phenomena. The involvement of 
information systems in white-collar criminal activities leads people to attribute computer 
crime to white-collar crime because the process of the former has usually been considered 
impossible without a high level of knowledge or without convenient opportunities for access 
to the machine. The general public used to view computer crime as complicated because they 
had little chance for revealing the truth of the digitalized processing. In addition, the reality 
of computer crime has possibly been distorted due to overemphasizing business victims and 
underemphasizing consumer victims (Kling 1980, p. 14). 

Some studies have found that cybercrime is a low-technological crime, and not a 
high-tech crime (Molnar 1987). With the popular use of computers and networks, more than 
17 percent of the world population are connected online (Internetworldstats.com 2007), and 
the growth rate is still high. The tools available to only a small group of computer users in the 
past are now available to a large population who have their own computers and who are 
connected to global networks. More and more potential cybercriminals do not need 
sophisticated skills for creating malicious codes by themselves. Compared with traditional 
violent crimes, a majority of current cybercriminals are not manufacturing guns and powder, 
but picking them up and shooting. Even the rest of the cybercriminals can use available 
programmes to produce malicious programmes to reach their goals. Therefore, “respectability 
and high social status” are irrelevant among today’s cybercriminals. 

Definitions of almost all derivatives have insisted that the offences involved are 
committed in the course of employment. In cybercrime, such offenders would express 
themselves in the form of launching inside attacks. But otherwise, I have found that insiders 
only make up one fifth of the cybercriminals successfully prosecuted (Li 2006). That is to say, 
most of these cybercriminals do not commit cybercrime in their employment. This provides 
further negative proofs against the claim that cybercrime is wholly coincident with the 
concept of white-collar crime. 

Criminal phenomena, particularly those in new fields, are continuing to be transformed 
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from simple to complex, from more traditional to more modern, from non-occupational to 
more occupational. White-collar criminals’ increasing exploitation of information systems is 


a predictable tendency. 


4.9.2 Economic crime 


There has never been a widely accepted definition of economic crime. An example of one 
definition can be taken from Sjégren and Skogh (2004, p. 1), who have defined economic 
crime as a crime committed to gain profit within an otherwise legal business. 
Recommendation No. R (81) 12 of the Council of Europe’s Committee of Ministers of 1981 
listed a broad range of offences into economic crime, including computer crime, particularly 
theft of data, violation of secrets, and manipulation of computerized data. The relevant 
literature has taken it as natural that computer crime is a crime in which the computer is used 
as an instrument of economic crime (for example, Johnson 2006, p. 1). Actually, the motives 
of cybercrime can be very wide and cover dozens of different kinds of crime. Profit gaining is 
only one of the numerous motives of cybercrimes. 

Although it is difficult to find a motive behind a cybercrime (Philip 2002, p. 7), many 
different studies and research have drawn diversified conclusions on the classification of 
motives. According to Jordan and Taylor (1998), there are six common attitudes among 
hackers: addiction, curiosity, thrill of information searches, ability to access, peer recognition, 
and identifying security loopholes. Maiwald (2003, pp. 36-38) has concluded that hacker 
motivations fall into three categories, including the quest for challenge, greed, and malicious 
intent or vandalism. Kiger and co-workers (2004) have summarized the motivations of 
cybercrime as money, entertainment, ego, cause, entrance to social groups, and status. Pipkin 
(2002, pp. 17-28) has proposed that hackers may hack from a sense of intellectual motivation, 
such as educational experimentation, harmless fun, as a wake-up call; personally motivated, 
such as disgruntled employees, cyber-stalking; socially motivated, such as cyber-activism; 


politically motivated, such as cyber terrorism, cyber-warfare; financially motivated; and 
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motivated by ego. Kremen (1998) has classified hackers into ten types with “different sizes, 
flavours and colours.” 

In fact, the motives of cybercrime may vary in a way that is beyond the imagination. If 
we say that many cybercriminals have similar motives, we can also say that nearly every 
perpetrator has his or her own. Bequai (1983, pp 44-45) has summarized 17 different kinds of 
motives that propel the potential perpetrators to take the risk of committing computer crime. 
In Chapter 6, I identify and discuss more than twenty kinds of the commonest motivations 
according to the literature, cases and empirical studies. 

The reasonable conclusion drawn from the above studies is that the conceptions of 
cybercrime and economic crime are correlated but not identical. Some cybercrimes can be 
classified into economic crime, while some others cannot. It is also clear that economic crime 
committed with the computer and on computer networks make up only a part of the whole 


phenomenon of economic crime. 


4.9.3 Corporate crime 


Yeager and Clinard (2006) have defined corporate crime as “any act committed by 
corporations, that is punished by the state, regardless of whether it is punished under 
administrative, civil, or criminal law” (p. 16) and they have regarded it as a particular type of 
white-collar crime (p. 17). It is possible for corporations to commit cybercrime, and the 
relationships between these conceptions are become ever more puzzling. 

What is still unclear is the extent to which computer crimes are committed by 
corporations. In my study (Li 2006), corporate perpetrator was involved in only one out of 
115 cases, while all other cases were committed by either a single individual or group of 
individuals, at most the organized groups. Although the finding of the study cannot be 
regarded as having universality, it has sense in that not all cybercrime are being committed 


by corporations or organizations (Ibid). 
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4.9.4 Professional crime 


Insiders and outsiders constitute different ratios in different categories of offences. The 
categories in which the insiders constitute the majority of offenders include: data theft, 
espionage, and fraud (Li 2006). 

The categories in which outsiders constitute a majority of offenders include: all identity 
theft, 92.9 percent of embezzlement and corruption cases, 87 percent of attack and sabotage 
cases, 81.8 percent of viruses, worms, spyware and logic bombs, and 76.2 percent of hacking 
and sabotage cases. In fact, outsiders also constitute a strong ratio among fraudsters: about 
42.9 percent (Ibid). 

Former employees are included in the category of outsiders. A significant ratio of 
offenders who attack and sabotage are former employees, who constitute about 43.5 percent. 
Former employees also constitute 12.7 percent of offenders in hacking and illegal access 
cases, and about 7.2 percent of offenders in embezzlement and corruption cases (ibid). 

Overall, insiders and outsiders constitute 21 percent and 79 percent of all reported 
offenders separately classified. Former employees constitute 16 percent of all the outsiders. If 
we add up former employees into insiders, they would constitute about 34 percent of the total 
number of offenders, still a smaller ratio than the outsiders. The safe conclusion is that 


cybercrime is again not a professional or occupational crime (ibid). 


4.9.5 Trans-national crime 


Globalization is the hallmark of modern economic and legal activities. The trans-border 
movement of personnel, goods, and information paints an embarrassing picture of national 
boundaries. Information systems alone are no longer subject to the physical limit of 
traditional countries. Many offences traditionally committed in neighbourhoods, 
communities, and native areas now extend beyond national boundaries. Many other offences 
traditionally committed in a trans-border manner are becoming a means to acquire new 
markets in the more networked globe. Some new offences can, indeed, only be completed in 
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a trans-national style. Trans-national crime can be seen as the counterpart of international 
trade in civil society, being an involuntary transaction between perpetrators and the social 
order (in many cases, involving victims, but in many other cases, victimless). 


For example, in McKinnon v USA & Anor,'®! 


the accused used his own computer in 
London and obtained unauthorized access to dozens of governmental computers of the U. S., 
from which he discovered the identities of certain administrative accounts and associated 
passwords. He installed remote control software on these administrative computers. The 
software enabled him to access and change data at any time. 

Many people have taken it for granted that because computer networks are 
trans-national, naturally most crimes committed in relation to the networks are also 
trans-national. This poses a great concern among academia, law-enforcement agency, and 
legislature. However, this is still an unanswered question. In my study (Li 2006), altogether 
14 out of 115 cases were committed by international perpetrators or foreigners, a ratio 
weaker than 12.2 percent. Domestic perpetrators were responsible for the remaining 87.8 
percent of cyber criminals. The majority of the reported cases are domestic computer 
offences (Ibid). 

We can explain this phenomenon by listing the possibilities: 

First, information systems have crossed the national boundaries, but prosecuted offences 
are mostly confined within these boundaries; 

Second, due to lack of an international arrangement of law and enforcement, few 
trans-national cybercrime offenders have been investigated; and 

Third, offences are mostly territory-dependent, and do not cross the border at all. 

All these factors are responsible for the low likelihood of trans-national cybercrime, but, 
as we have seen and will see further, the absence of international legal harmonization and 
assistance mechanisms contributes primarily to the current invisibility of trans-national 


cybercrime. 


4.10 Conclusion 





'8! [2007] EWHC 762 (Admin) (03 April 2007). 
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The phenomenon of cybercrime is comprised of complicated acts and facts, which are 
multifarious, concealed and changing. There is no ready-made theory applicable for defining 
and categorizing various practical cases. A great many disputes exist among experts as to 
what exactly constitutes a cybercrime, for there is a lack of an internationally recognized 
criterion. Due to the lack of unified definition and classification schedule, the co-existence of 
different viewpoints inevitably results in conflicts in international law enforcement and to a 
waste of judicial resources. Cybercrime includes both new crime utilizing computer systems 
and new forms of existing crimes exploiting computer systems. 

Theoretical and legislative classifications group cybercrimes into different categories. 
However, the most characteristic pattern of cybercrime is that the detailed offences are more 
or less linked to information systems. The roles of information systems in the offences 
perpetrated have the potential to develop. The starting-point of cybercrime research should 
focus on the recognition of the roles of information systems in the offences perpetrated. It is 
the information system that makes perpetrators breach security protection, to exploit the 
function of this system, to transmit illegal materials through this system, to operate illegal 
commercial activities in this system, to air offensive speech in the forum of this system, to 
communicate with this system, and to use this system to prepare murder, harassment and 
other traditional offences. 

The definition does not determine the existence of cybercrime. Nevertheless, the 
definition endows this phenomenon a place on the academic terrain. Through definition, we 
are changing “cybercrime” into a research topic. Potential cyber warriors and cybercriminals 
may also learn from cybercrime incidences, about how they are committed, why they are 
reported, and what legal results are induced, etc., so that they can better trick the 
cybersecurity management, the victims and law-enforcement agencies. In contrast to the 
incentives of the crime perpetrators, scholars should analyse how and why these criminals are 
motivated, how and why victims are exposed, and how and why guardianships are absent. 
The next chapter will discuss the topic at the level of cybercrime as an academic research 


topic, to justify the value of cybercrime research. 
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CHAPTER 5. CYBERCRIME AS A RESEARCH THEME 


5.1 Introduction 


As we have seen in the previous chapters, due to the potential harm, both new types of 
crimes and new forms of old crimes concern individual and organizational social actors. 
Cybercrime has become one of the focuses of scientific research: as a research theme, a 
university course, a thesis topic, and particularly a multidisciplinary research topic. Research 
activities heavily rely on information systems, meaning research into the relevant literature, 
and court decisions with the making of international comparisons, too. This chapter gives a 
concise sketch of cybercrime as a research theme, and the special research methods facilitated 


by information systems. 


5.2 A new research theme 


We must currently take up a new field of study, a field different from any we have 
previously entered. The knowledge concerning cybercrime has become a challenging topic of 
scientific literature. This literature deals with questions such as: 

1. Description, including discussion of terms, definitions, characteristics, motives, scope, 
and scale of cybercrime; 

2. Scientific analysis, including analysis from the standpoints of criminology, criminal 
law, sociology, psychology, politics, ethics, culture (and subculture), economics, and 
technology, etc.; and 

3. Countermeasures, including recommendations from the viewpoints of technology, law, 
ethics, sociology, and economics, etc. 

As far as legal countermeasures are concerned, the literature covers both substantive law 
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and procedural law. Concerning substantive law, the literature endeavours to resolve the 
problems of the corpus delicti of cybercrime, gives a review of and a proposal on the 
adaptation of traditional law and the adoption of new law, a proposal on international 
harmonization, etc. Concerning procedural law, the literature seeks to resolve the problems of 
search and appropriation of evidence, the tracing and recovering of electronic evidence, 
problems arising from interception and privacy protection, and the use of international 
assistance, etc. 

Academic literature on cybercrime has been published in both the traditional and digital 
media. Law-enforcement agencies have also published relevant reports and proposals. 
International organizations are playing a significant role in implementing directives, 
guidelines, recommendations, and treaties. These establish a bedrock for implementing legal 
instruments and promoting international cooperation. 

In addition, cybercrime has become one of the themes of academic conferences, which 
are held at difference ranges, scales and for different purposes. These forums provide 
opportunities for people from different professional fields to exchange knowledge on 
phenomenological, legislative and judicial issues. Based on these exchanges, consensus 1s 
gradually expected to be reached. 

Some of these conferences are comprehensive, covering a wide range of topics. However, 
some conferences have concentrated on one or several specific topics with the purpose of 
increasing awareness at the public level, the state level, or international level; or having the 
purpose of discussing legislative or judicial issues. In addition, the common focus of these 
conferences is to discover an increasingly successful approach to deterrence. 

Again, cybercrime has been developed as a university course. Many universities teach a 
course specifically entitled “Cybercrime”. Others incorporate contents of cybercrime as part 
of their courses in criminal law, criminal justice, criminology, legal informatics, legal 


psychology, or law and technology, for examples, Lehtonen (2006), Saarenp4a (2005), etc. 





' For example, the Council of Europe Cybercrime Conference-High-Level Conference on the 
Challenge of Cybercrime, Strasbourg 15-17 September 2004; the Department of Defense Cyber Crime 
Conference 10-13 January 2006; Cybercrime Summit (2003-), Kennesaw State University, 19-23 
March 2007; the CyberCrime and Digital Law-enforcement Conference, Yale Law School, 26-28 
March 2004. 
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The contents of the course may have a different coverage. Generally, these courses 
analyse how the new information technologies are influencing the traditional legal approach 
to crime. For example, the course at the George Mason University explores the history of 
cybercrime, examining security-related, content-related, data-related, and system-related 
crimes, as well as individual, corporate and organized cybercrime and cyber terrorism. 
Inevitably, the course also deals with both substantive and procedural law problems, with 
special regard to both social-order maintenance and human-rights protection.'° The course 
instructor in the University of Essex recognizes the trans-national nature of cybercrime, takes 
a comparative approaches with special regard to North American legislation and the European 
Convention on Cybercrime. a 

As far as the objectives and projected learning outcomes are concerned, the course 
instructor at the University of Leeds has expected that the participants will understand the 
criminal opportunities brought about by the ICT and will explore the theoretical and 
legislative issues related to cybercrime. !© Because courses may be provided in different 
institutions for students of different concerns, they are also designed to meet different needs. 
The emphases in the courses thus range from theoretical exploration to practical training, 
from legislative reasoning to law-enforcement design, and from public regulations to private 
countermeasures. 

A typical structure of the course at the University of Oregon, for example, is composed 
of an introduction to “cybercrime”; substantive criminal-law issues; investigative techniques 
and tools; procedural criminal-law issues; international harmonization, and conclusions.!® In 
other institutions, the course may deal with a narrower scope of issues, but the general 


knowledge of cybercrime is a necessary component. 





°° For example, the course on Cybercrime, that is, Cybercrime -Law 499, at the George Mason 
University School of Law. See the Homepage of George Mason University School of Law. Retrieved 
15 March 2007, from http://www.gmu.edu/departments/law/academics/course_detail.php?num=499 

* For example, the course on Cybercrime, that is, Cybercrime - LW 655, at the University of Essex. 
See the Homepage of Department of Law, University of Essex. Retrieved 15 March 2007, from 
http://courses.essex.ac.uk/lw/ 

°° As described in the course at University of Leeds, Department of Law, Computers and Crime in 
the Information Age (LAW2410). See Homepage of Department of Law, University of Leeds. 
Retrieved 15 March 2007, from http://www. leeds.ac.uk/law/lawmods/cybercri.htm 

°° University of Oregon School of Law, Cyber Crime Course, Spring Semester 2004. Retrieved 15 
March 2007, from http://www.scanit.be/downloads/Feb2002_Arabian_Computer_News.pdf. 





159 


Lectures on cybercrime are being given in both traditional and innovative ways. 
Cybercrime is closely connected with ICT, which is designed to improve the “efficiency, 
accessibility and quality of the learning process” (Lesgold 1993, pp. 377-382). Computers and 
networks provide abundant information resources, learning resources and guidance resources 
(Ibid). Cybersecurity training and cybercrime courses are increasingly delivered through 
information systems, which facilitate as big an audience as possible. 

Furthermore, cybercrime has become a popular thesis topic. Students have increasing 
interests in the topic of cybercrime. For the sake of acclimatizing students to the social 
requirement, more and more law schools are making efforts to train experts in the field of 
cybercrime research. From various sources, we can recognize that many students succeed in 
completing their degree study after submitting theses on cybercrime, for example, Kowalski 
(1994) and Silvander (2004) in Sweden, Pihlajamaki (2004) in Finland, Abdulla (2006) in the 
U. S., to name some. 

Finally, cybercrime has become a favourite topic in multidisciplinary research. The 
courses on cybercrime offered in many universities are actually based on multidisciplinary 
research. Institutes for legal informatics have been established in many universities Courses 
on legal informatics are offered broadly, which integrate the content of computer security and 
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protection, and cybercrime. 





'87 For example, Centre de Recherches Informatique et Droit, Facultés Universitaires Notre-Dame de 


la Paix de Namur; Interdisciplinary Centre for Law and Information Technology (ICRI), Katholieke 
Universiteit Leuven in Belgium. Institute for Legal Informatics, Faculty of Law, University of Lapland, 
Finland. Norwegian Research Centre for Computers and Law (NRCCL),University of Oslo, Norway. 
Institut fiir Rechtsinformatik, University of Hanover; Intitut fiir Informationsrecht, University of 
Karlsruhe; Institute for Law and Informatics, University of Saarland in Germany. Institute for Legal 
Philosophy, Sociology of Law and Legal Informatics, Faculty of Law, University of Graz; 
Universitatslehrgang fiir Rechtsinformatik und Rechtsinformation, University of Vienna in Austria. 
The Laboratory of Legal Informatics of the Institute of State and Law of the Academy of Sciences of 
the Czech Republic. In Spain, Informatica y Derecho, Universidad de Zaragoza; Centre of Law and 
Computer Studies of the Balearic Islands, University of the Balearic Islands. Institutet for 
rattsinformatik, University of Stockholm, Sweden. Information Technology Law Unit, Centre for 
Commercial Law Studies (CCLS), Queen Mary & Westfield College, University of London; Centre 
for Law, Computers & Technology, University of Strathclyde in U. K.. Research Centre of History of 
Law, Philosophy and Sociology of Law and Computer Science and Law, Universita degli Studi di 
Bologna, Italy. Department of Legal Informatics, University of Lithuania; Legal Informatics Centre, 
Vilnus University in Lithuania. Computer Law Institute, Faculty of Law, Vrije University, Amsterdam; 
Department for Law & IT, University of Maastricht; Centre for eLaw (Centrum voor recht in de 
informatiemaatschappij), University of Leiden; Institute for Information Law, Faculty of Law, 
University of Amsterdam; Centre for Law & ICT, University of Groningen; Law & Technology 
Department, University of Rotterdam; Centrum voor Recht, Bestuur en Informatisering, University of 
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Computer security specialists, sociologists, criminologists, psychologists, psychiatrists, 
economists, and jurists are all engaged in studies and research on cybercrime. On the 
understanding that studies and research emphasize particularly theoretical discourses, the 
globally-established anti-cybercrime institutions not only provide theoretical explanation, but 


also provide practical findings. They supply laws and cases, proposals and guidelines, etc. 


5.3 Information systems and cybercrime research 


The research process relies heavily on information systems, through research into the 
relevant literature and court decisions, thus rendering international comparisons more 
attainable; while additionally, the results of experiments are also available from specific 
laboratories. 

First, research on the existing literature represents an important approach for scholars to 
develop their own ideas. The research on cybercrime has been pursued for several decades 
and the previous literature provides a shortcut for latecomers. 

From the historical standpoint, it is worth noting that when the Internet began, it was 
strongly connected with military and academic activities. Now, with many resources uploaded 
on the networks, cyberspace facilitates legal research work. '* The unprecedented 
accumulation of knowledge in the new media helps the construction of the global village 
(Giivenen 1998, pp. 1-10). Worldwide scientific research networks also give power to 
cybercrime research. Web-assisted legal study has become a realistic and feasible approach. 
The development of both the private sector and public sector in digitalization and 
informationization as well as the establishment and open access of legal databanks has 


considerably eased the research (Ibusuki 1995, 1996). There are also a great many systematic 





Tilburg in the Netherlands. Centre for Legal and Economic Issues of Electronic Communication, 
University of Wroclaw, Poland. In the U.S., Legal Information Institute, Cornell Law School. In 
Australia, Australasian Legal Information Institute, joint facility of UTS and UNSW Faculties of Law. 
This is only a selective list established through search engines by the author. 

'68 Lyonette Louis-Jacques, Legal Research Using the Internet. Retrieved 15 March 2007, from 
http://www.lectlaw.com/files/Iws56.htm 
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bibliographies available on the Internet, either on special topics or on general problems.‘ 


Online academic communities can conveniently use search engines, electronic journals, 
catalogues, lists, directories, tutorials, forums, and text, audio and video interactive messages 
in their research. As far as electronic journals are concerned, they are becoming important 
resources of academic materials. The online journals take three forms: an 
electronically-augmented form of printed journals, parallel but alternative form, and 


electronic-only form.'”° 


There have roughly two access methods: open access or access via 
subscription. At present, low cost and broad access are enabling an increasing number of 
online journals to take the electronic-only form. 

Secondly, it is necessary to analyse cases in research on crime or on law. The status of 
court decisions has long been acknowledged in the domain of legal informatics. Cases are the 
specimens for comparative study. Mass-media news and court-case reports are the main 
sources for case study. Smith, Grabosky, and Urbas (2004) examined 240 cases (p. 10) and 
provided “the first international study of the manner in which cyber criminals are dealt with 
by the judicial process” (p. 13). Otherwise, Makkonen, Manninen, Montonen, and Savela 
(2003) carried out a content analysis of news on cybercrime. In countries where cases are not 
officially compiled, news reports become the main source for case study. 

Thirdly, one of the approaches is comparative research, which occupies a significant 


position. In the past, it was necessary to visit libraries and consult legal collections. Currently, 


it has become routine for countries to publicize laws and cases. Access to legal databases is as 





'® For example, Paul Clark, Cybercrime Treaty Bibliography, April 30, 2004. Retrieved 15 March 
2007, from http://www.wildernesscoast.org/bib/treaty-by-date.html; J.A.N. Lee, Computer Crime 
Bibliography, 24 November 2001. Retrieved 15 March 2007, from 
http://courses.cs.vt.edu/~cs3604/lib/Crime/bibliography.html. In a wider basis, James Herbsleb, A 
Bibliography of Current Issues in Cyberlaw, 6 April, 2004. Retrieved 15 March 2007, from 
http://www-2.cs.cmu.edu/~jdh/courses/Cyberlaw%20ONLINE/bibliography.htm; Curtis E. A. 
Karnow, Peter Soares, Joel Muchmore, Sonnenschein Nath and Rosenthal LLP, 

Law and Cyberspace Bibliography. Retrieved 15 March 2007, from 
http://mitpress2.mit.edu/e-journals/Leonardo/isast/spec.projects/intellpropbiblio.html. In a narrower 
sense, the Public Affairs Section, the U. S. Embassy in Thailand, a Bibliography of Internet Crimes 
and Fraud, 26 April 2001. Retrieved 15 March 2007, from 
http://www.usa.or.th/services/irc/bib_inet_crime.htm. Dorothy Denning’s links. Retrieved 15 March 
2007, from http://www.cs.georgetown.edu/~denning/links.html. Vlasti Broucek, 24 March 2004. 
Retrieved 15 March 2007, from http://brouk.psychol.utas.edu.au/bibliography_old.html. Maximillian 
Dornseif, Kay Schumann, Bibliographie Computerkriminalitat, 25 March 2002. Retrieved 15 March 
2007, from http://md.hudora.de/jura/bib-compkrim/compkrim.html 

'? Collis (1996), pp. 168-169. 
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good to consulting the parliamentary archives. The obstacle of languages is becoming less 
serious because of online and offline translation tools, however weak these translations 
sometimes are. The availability of multilingual information is making it more effective to 
build up international comparisons. 

Fourthly, it is difficult to answer the question of “how cybercrime is committed?” before 
we can demonstrate it by a personal experiment. Real cybercrime scene cannot be learned 
merely by reading literature. If the perpetrators have a better understanding then their victims 
of the ways to commit cybercrimes, then, scholars, legislatures, police, prosecutors, and 
judges, crime and anti-crime will be placed on an unbalanced scale. Hence, the studies and 
research on texts should be supplemented by some kinds of experiments. Observations and 
experiments are as necessary to illuminate the literature and to illustrate important 
mechanisms in cybercrime as they are in information science and information security. 

The problem lies not in whether law students are able to carry out such experiments, but 
in whether computer security laboratories are willing to accept law students. Historically, 
hacker culture was built on the supposition that access to another’s computer systems was 
harmless. In completely controllable laboratories, law students should also be able to 
experience the hacking process. Experiments allow people to grasp better the nature, damages 
and motives of some cybercrimes, and to grasp better their transnational influence. 

As many domestic legislations, the Convention on Cybercrime does not require 
criminalizing legitimate and authorized computer security, research, or education practices.” 
Some domestic legislation that criminalizes conducts related to hacking tools also excludes 
punishment against network security personnel.'”” 

Cybercrime laboratories are being established all over the world, for example, Regional 
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Computer Forensic Laboratories in San Diego, California. ~ Its mission is to develop a 


national government, industry, and academic collaboration to address cybercrime technical 





'"l’ Article 6 of Convention on Cybercrime. 

' See the U.S. Department of Justice, Frequently Asked Questions and Answers-Council of Europe 
Convention on Cybercrime, Updated 10 November 2003. Retrieved 15 March 2007, from 
http://www.cybercrime.gov/COEFAQs.htm. 

' E.g., Regional Computer Forensic Laboratories (RCFLs) in San Diego, California, established in 
1999. This is a regional crime lab, specializing in retrieving computerized data and preserving the 
evidence for trial. See Bigelow (1999). 
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issues; share a forensic tool knowledge base; distribute cybercrime technology and tools to 
law-enforcement agencies at a national level through capacity-building packages, 
cybercrime-awareness seminars, and cybercrime-tool evaluations; heighten national 
awareness of cybercrime; provide technology assistance; and facilitate cybercrime training.’ 

The Department of Defense in the U. S. has also established a Computer Forensics 
Laboratory (DCFL) in 2001, with the mission of providing digital-evidence processing and 
analysis for the Department of Defense of setting guidelines for digital forensics analysis, of 
fostering forensic media analysis projects, and of conducting liaison by partnering with 
governmental and private industry computer-security officials to keep abreast of the 
cutting-edge technology.'” 

Similar to controlled experiments is the situation where individual or institutional 
researchers obtain and deposit materials that are forbidden by law. In the case of institutional 
researchers, it may be easier to demonstrate a genuine purpose for research. Puzzling is 


6 the court dismissed the 


nonetheless the case of individual researchers. In R. v. Wrigley, 
appeal of the accused on grounds of genuine research, for which the accused communicated 
with paedophiles and downloaded pictures of child pornography from the Internet. The 32 
disks seized by the police containing 677 indecent images of children became evidence for his 
conviction, even though he claimed that he was collecting materials for his possible PhD 
thesis. The court held that the timing of the offence occurred the idea of any such a research. 


Nor was the pursuit of a hobby any excuse. In CN v Secretary of State,'’” 


the perpetrator 
viewed nude or partially nude pictures on his computer, but he insisted that he was a 
photographer with a specific interest in nudes and naturism. For this purpose, he regarded the 
websites that he obtained access using his credit cards as part of his whole interest, a 


legitimate part, and occurring “in dedication to a particular photographer's work.” He stated 


that he looked at images that “...were tasteful, artistic images or naturist images. On the few 





™ See JUSTNET, CyberScience Laboratory. Retrieved 15 March 2007, from 
http://www.nlectc.org/assistance/cybersciencelab.html; CSL, CyberScience Laboratory - History. 
Retrieved 15 March 2007, from at http://www.cybersciencelab.com/_public/index.html 

” The Department of Defense Cyber Crime Centre (DC3), 26 March 2004. Retrieved 15 March 2007, 
from http://www.dcfl.gov/DCFL.htm 

7° [2000] EWCA Crim 44 (26th May, 2000). 

™ [2004] EWCST 398(PC) (24 August 2005). 
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occasions the images were of young people, the sites clearly indicated that parental consent 


99178 


and cooperation had been obtained... The court dismissed his appeals against decisions 


on his unsuitability to work with children and vulnerable adults!” 


These cases provided 
useful reference for researchers to collect materials on similar subjects. Thus, legal steps 


should be taken to protect legitimate academic activities. 


5.4 Misleading information and cybercrime research 


As already noted, there has been abundant literature on cybercriminal phenomena. 
However, if we turn to Babbie (1995), to ask whether there has been a long-lasting tradition 
or an established authority in this academic inquiry, a satisfactory answer still deserves 
decoding, to which neither tradition nor authority sufficiently contributes. 

In fact, cybercrime has long been puzzled by misleading information, with the sources 
ranging from journalists’ books and articles, politicians’ reports and testimonies, law 
enforcement’s bulletins, and researchers’ academic writings (Smith, Wall Street Journal, 8 
September 1998). Some of the most famous hoaxes include the printer-virus, the 
electromagnetic pulse gun, pen pal e-mail, Russian virus 666, Clinton virus, etc. (Smith, Wall 
Street Journal, 8 September 1998), among which the “printer-virus” is the most frequently 
cited in proving the danger of cyber warfare. 

Misleading information greatly reduces the seriousness, precision, reliability, and validity 
of relevant achievements. It is necessary to be cautious in dealing with literature. However, 
the widespread misleading (and non-misleading) information, particularly that originating 


from authoritative individuals or institutions, will inevitably still play a decisive role. 


5.5 Conclusion 


This chapter briefly summarized my understanding about how the phenomenon of 


cybercrime has attracted universal attention from people in all occupations. Cybercrime has 
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ibid., paragraph 8. 
ibid., paragraphs 31 and 33. 
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become a focus of research in the criminal sciences dealing with criminals. The topic of 
cybercrime covers a broad range of matters. As a new topic, many problems have to be solved 
first of all in the theoretical sphere, supplemented by practical experiences. The research into 
this theme also relies on information systems. Although cybercrime concerns two groups of 
people: criminal actors and anti-crime actors, I am not devoting myself to describing how 
criminals learn from precedents to improve their criminal skills. Rather, the next chapter will 


return to criminal phenomena itself, observing the perpetrators from an external standpoint. 
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CHAPTER 6. CYBERCRIMINALS AND THEIR MOTIVES 


6.1 Introduction 


The motivated criminal is one of a causal trinity (together with the potential victims and 
weak guardianship) that produces crimes (Cohen and Felson, 1979). In cybercrime, this is 
also a perceivable reality. While we consider that the three factors are intertwined together, 
we will dedicate this chapter particularly to depicting cybercriminals and their motives. 

One of this study’s primary aims is to present a panorama of the cybercriminal 
phenomenon necessary for the establishment of a positive argument for an innovative legal 
framework. It is crucial to answer the questions of “who are more likely to commit 
cybercrime,” and “what factors are more likely to motivate the cybercriminals to take the 
risk?” Studies and research on the subject of computer crime has had a history of several 
decades. Previous studies have drawn clear and steady conclusions that there was no single 
profile of the characteristics of a “typical” computer criminal, and that many whose 
characteristics meet the profile are not criminals at all (Ware, Pfleeger and Pfleeger 2002, p. 
20). However, some profiles are built on empirical studies. The earlier studies tended to 
“portray them as young, educated, technically competent, and usually aggressive,” as Bequai 
(1978, p. 4) stated. Donn B. Parker (1976, p. 45) has presented a brilliant portrait of computer 
crime perpetrators, stating that they were typically “bright, eager, highly motivated, 
courageous, adventuresome, and qualified,’ which were the just characteristics that qualify 
them to employment in data processing. 

The development of computer technology has changed the depiction completely (Becker 
1981, pp. 18-20). There are different views about the computer systems, implying that people 
can use this system to do different things, and particularly, abuse the system, or pursue other 
deviant behaviours under the cover of technological challenge (ibid., pp. 18-20). Bequai 
(1983, pp. 47-50) found that while the potential sources of computer attack may vary from 
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each other, they can, however, be grouped into three categories: dishonest insiders, outsiders, 
and users. This implies that everyone had an equal chance of being involved in computer 
crime in the age when the Internet did not expand as widely as at present. Wasik (1991, pp. 
60-65) concentrated on the characteristics and classifications of perpetrators as well. 
Levinson (2002, p. 525) sorted out the sources of cyber threats into five groups, including 
insiders, hackers, virus writers, criminals groups, and terrorists. Reynolds (2003, pp. 58-65) 
classified perpetrators into hacker, cracker, insider, industrial spy, cybercriminal and cyber 
terrorist. That is to say, a broad application of computers had created a multi-dimensional 
social environment, and potential computer criminals had inevitably discovered the 
opportunities available. It is clear that the subjects of cybercrime will develop into typologies 


that are more and more sophisticated. 


6.2 The subjects of cybercrime 


When we talk about the subjects of cybercrime, the focus is on the profile of the 
cybercriminal. However, the cybercriminal is not one single person, but a group of 
perpetrators. Many researchers have written in previous literature about “who” are most likely 
to commit cybercrime. Any conclusions drawn from some hundreds or thousands of cases 
may be premature or misleading in formulating an accurate description of a profile. More than 
twenty years ago, Bequai (1983, p. xviii) pointed out that the problem of the computer 
criminal profile can be so complex that no one single picture can be given for sketching out 
the panorama of this aggregation. He gave a tentative table of the profile of a typical computer 
perpetrator concluded from hundreds of cases in the U. S. Bureau of Justice statistics (1983, 
pp. 42-45). He gave the same warning against a misleading effect as many other scholars did. 

As I concluded in the last chapter, the subjects of cybercrimes can be either insiders or 
outsiders. Many cases have revealed that insiders constitute a great threat to their employers’ 
systems. However, fewer younger juveniles are employed than older juveniles. That is to say, 
the younger juveniles may be found among the increasing number of outsiders who engage in 
cybercrimes. On the other hand, the nature of cybercrime is such that its perpetrators do not 
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have an age limit. Any one who has access to computers and the Internet can act in a manner 
that gives rise to criminal liability. 

The Internet users are strongly sex divided, that is, a higher percentage of males than 
females use the Internet. For example, in 2001, only 6 per cent of Internet users in the Arab 
States were women. It is 38 per cent in Latin America; 25 per cent in the EU; 37 per cent in 
China, 19 per cent in Russia, 18 per cent in Japan, 17 per cent in South Africa, and nearly 50 
per cent in the U. S.'®° In Nordic countries, males have a higher percentage of daily and 
regular use of the Internet (Nordic Council of Ministers 2005, p. 42, Table 2.5; p. 42, Table 
2.6). However, the difference is becoming smaller, with females constituting the larger group 
of Internet users in some countries. 

This character is also transplanted into cybercriminal phenomena. According to Levinson 
(2002), “It is well established that boys commit far more juvenile crime, particularly violent 
crime, than girls.” (p. 490) In fact, males have historically been responsible for the majority of 
overall criminal phenomena. Even in modern society, females constitute only one-third of 
those who commit all crimes. For example, in 2005, among the suspects investigated by the 
Finnish police, only 17 percent were females (Honkatukia and Savolainen 2006, p. 189). In all 
the offences, the highest percentage that female suspects account for are still below 30 percent 
(ibid., pp. 189-190). Similar patterns have also been demonstrated in many other countries. '*! 
Cybercrime seems less violent, but research studies indicate that more males commit 
cybercrimes than females. In a Chinese statistical study, Jiang (2000) found that males 
accounted for 91.45 percent of the perpetrators, while females accounted for only 8.55 percent 


(pp. 151-152). He explained that the reason might be the differences between males and 





'89 Women’s Learning Partnership, December 2001. Retrieved 15 March 2007, from 


http://learningpartnership.org/facts/tech.phtml 

'8! Take example of other Nordic countries: in Norway, females constitute less than 15.3 percent of 
persons charged with crimes (Norges Offisielle Statistikk. 2007. Kriminalstatistikk 2002 (Crime 
Statistics 2002) (NOS D 374), Table 14: Persons Charged with Crimes, by Sex and Age, p. 45); in 
Sweden, the percentage is about 19.7 (Sveriges Officiella Statistik. 2005. Brottsf6rebyggande Radet, 
Tabell 200: Persons Suspected of Offences by Types of Offence, Age and Sex. Retrived 15 March 
2007, from http://www.bra.se/extra/measurepoint/?module_instance=4&name=Persons suspected of 
offences, 

2005 &url=/dynamaster/file_archive/061003/37fd76d9c 1 5cOf2e18648590184d55cb/Persons%2520sus 

pected %25200f%2520o0ffences%25202005.xls); in Denmark, the figure is around 17.6 (Statistics 
Denmark. 2006. Statistics Yearbook 2006, Social Conditions, Health and Justice, Table 193: 
Convictions for Offences against the Penal Code, by Age and Sex 2004). 
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females in computer knowledge, skills, and attitudes to online interactions (ibid.). However, 
the reasons why females have been convicted of fewer cybercrimes than males are not really 
clear at all. The matter needs a special exploration into questions of whether females actually 
do commit fewer cybercrimes or whether female cybercriminals are less able to be detected. 
While sex is natural, gender is social. In current society, particularly in cyberspace, the 
boundary between (virtual) genders is vague. Thus, considerable efforts of the imagination are 
now being made about how genders should be defined. 

Another characteristic of the subjects is that they are distributed over a broad area. 
Where there is Internet, there are users, and there are opportunities for abusers. Interaction 
and communication become more convenient, and conspiracy may take the form of online 
communications. Online gangs and organized crimes are capable of launching attacks from a 
wide range of computers. In talking about the global distribution of cybercriminals, we are not 
denying the global distribution of traditional criminals either. Any criminal can commit a 
cybercrime across territorial borders without appearing in person at the crime scene, which is 
a necessity in almost all the traditional offences. The cybercriminals stay where their 
computer hardware is located, while at the same time their criminal activities can take place 


wherever information systems exist. 


6.3 The background of the cybercriminals 


As stated, computer crimes can be divided into offences by insiders and offences by 
outsiders. Shaw, Ruby and Post (1998) classified insiders into information technology 
specialists such as full-time or part-time employees, contractors, consultants, or temporary 
workers; partners and customers with system access; and former employees retaining system 
access. As to whether it is insiders or outsiders who constitute the greater threat to the 


computer system, there have been different findings.'** However, the mainstream findings 





' For example, The AFCOM's Data Centre Institute found that the cyber attacks launched by 


outsiders (52 percent) were ten times that of the insiders (5 percent). However, the respondents were 
more concerned the insider threats than the outsider ones. See Edward Hurley, Are Insiders Really a 
Bigger Threat? 17 July 2003. Retrieved 15 March 2007, from 
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prove that insiders have been more likely to be involved in computer crimes against the 
employers’ systems or other abuses.'** Insiders and outsiders also form conspirators in 
certain schemes (see also Section 4.9.4),184 The Nordic Council of Ministers (2005) found 
that students, employees and self-employed people constitute a higher percentage of Internet 
penetration (Nordic Council of Ministers 2005, p. 42, Table 2.5). 

In addition, there is a specific category of attackers, namely, “outside insiders.” They are 
those who were previous employees but later left the occupations. Being former employees, 
(some even being computer administrators), they had knowledge about the inside structure of 
the institution’s information systems, and some even kept their accounts for access to the 
computers of the institution. Leaving the previous occupation, they became outsiders, but 
with a higher possibility than pure outsiders to misuse the institution’s information systems. 
The reasons why they left the occupation are closely linked to their motives in the attack.'®° 

The conspiracy between the insiders and the outsiders is an issue that cannot be ignored. 
Particularly, the co-operation between insiders and the above-mentioned outside insiders are 
always closely connected with an established relationship, an environment of corruption and 
indiscipline. In R. v. Rees,'®® a previous colleague of the accused was convicted of 
inappropriately disclosing to the accused confidential information of the police, and thus 


inappropriately enabled the accused to have such confidential information in his possession, 





http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_¢c1906437,00.html 

'8 For example, in R. v. Stanford ([2006] EWCA Crim 258 (01 February 2006)), after the perpetrator 
resigned from leadership of the company, he retained a 30 percent shareholding. In order to regain his 
position, he began to collect information to discredit the leader and force him to resign. By using the 
name and password of an administrator of the e-mail server, he intercepted the e-mails of the server. 
Another example, United States v. Pierre-Louis (Southern District of Florida No. 
00-434-CR-GOLD/SIMONTON, 22 March 2002), an employee (the accused) sent a virus to his 
employer, and caused a two-day stoppage. 

'S! Tn R. v. Jones and Singh ({1997] EWCA Crim 164 (23 January 1997)), three co-accused, who 
worked for the National Westminster Bank, produced screen prints of confidential information of 
genuine customer accounts. They passed the printouts via middlemen to the co-accused, who in turn 
used to forge credit cards. The forged credit cards were used to defraud from the bank of £1.2 million. 
'> For example, in United States v. Middleton (Ninth Circuit No. 99-10518, 12 September 2000), the 
accused dissatisfied with his job as a computer administrator in a company and quit, with extensive 
knowledge of its information systems. He was allowed to retain an e-mail account and used it to 
commit his unauthorized access and sabotage; in the United Sates v. Millot (Eighth Circuit No. 
04-3962, 15 November 2005), the former system analyst of a company quit the post, but retained a 
Secure ID card of an account with the highest level of access possibility. With this, he repeatedly 
accessed the company's network and caused damage. 

'8° [2000] EWCA Crim 55 (20 October 2000). 
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while the accused was convicted of aiding, abetting, counselling or procuring his colleague to 
do this. 
Conspiracy not only happens between insiders and “outside insiders” (see also Section 


187 
the accused was 


4.9.4). Pure outsiders are also likely to participate in it. In R. v. Allison, 
an insider, who acted as a credit-card analyst, having the authority to access information 
about the company’s debtors. She got instruction on accounts that she should work on, but 
she could also access other accounts. Upon accessing other accounts, she provided 
information about them to her outside co-conspirators. With that information, one of the 
outsiders drew large sums of money from Automatic Teller Machines (ATM). 

Mackenizie and Goldman (2000) reported that some students, particularly computer 
science and engineering majors, with newly discovered skills, attempted to break into the 
servers of the University of Delaware (p. 174). CSI reported that 55 percent of survey 
respondents reported malicious activity by insiders (Nelson 2004, pp. 299-321). Researchers 
also revealed that dissatisfied employees were a major source of computer crimes (Vatis 
1999) and were the greatest threat to computer security (See Sinrod and Reilly 2000, pp. 
183-187). When Sutherland suggested the term “white-collar crime” in the late 1930s, he 
could hardly have imagined that there would be crimes occurring in the process of 
human-machine-human interaction, other than the human-human interaction, 
human-organization interaction, or human action against the machine. Nevertheless, the term 
“white-collar cybercrime” or “cyber white-collar crime” has also come into use at the present 
time, apparently as new development of Sutherland’s theory. '** Michalowsky (1996) 
explicitly attributed computer crime to white-collar crime (p. 175), because computer crime 
was an “insider crime” (p. 177), computer crime violated “trust” (p. 178), computer crime 
aimed at “personal or organizational enhancement” (p. 179), computer crime was 
“administratively segregated” (p. 180), and computer crime drew “limited enforcement 


attention” (p. 181). 





'87 [1998] EWHC Admin 536 (13 May 1998). 

'88 See for example, “Victim Assistance Online” Web site. Retrieved 15 March 2007, from 
http://www.vaonline.org/internet_wcollar.html. The term “White-collar Hacker” is also used, for 
example, by Leyden, J. The Rise of the White-collar Hacker, 2004. Retrieved 15 March 2007, from 
http://www.there gister.co.uk/2004/03/3 1/the_rise_of_the_white/ 
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In my opinion, the concept of white-collar crime cannot perfectly fit the situation of 
cybercrime. Yet the term “white-collar crime” emphasizes the occupation and social status of 
the criminals, and one of the most relevant factors in white-collar crime is the knowledge that 
the criminals acquire from both their pre-employment education and their occupational career. 
It is hardly oversimplified to view white-collar crime as a knowledge-based offence 
compared with violence-based traditional offences. As to the defining of cybercrime, it can 
be viewed either as a knowledge-based white-collar crime or as knowledge-based cyber 
violence. In the former case, it is white-collar crime; in the latter, it is not. 

It is reasonable to conclude that, when there were few computers, employees in 
computer-related industries were the only computer users, and were small in number. They 
acquired more chances to launch attacks against their employers. With the prevalence of 
personal computers and the development of the Internet, insiders remain to take advantage of 
having better knowledge about access-control mechanisms, asset management systems, and 
overall loopholes. Insider knowledge, convenience, and directness encourage undisciplined 
employees to commit cybercrimes. As the U. S. Secret Service and CERT Coordinator 
Centre's study disclosed, minimal technical skill is required to launch cyber attacks on the 
banking and finance sector (Randazzo and co-workers 2004).'* 

In addition, insiders expose themselves to a negative psychological influence derived 
from their information work environment. Shaw, Ruby and Post (1998) identified the factors 
that increase the tendency towards illegitimate and harmful behaviour among employees, as 
including computer dependency, a history of personal and social frustrations (especially 
anger toward authority), ethical flexibility, a mixed sense of loyalty, entitlement, and lack of 
empathy. 

On the other hand, offences by insiders involve a less complicated process of tracing, 
detecting and investigating than in the case of outsiders. If we cannot judge whether insiders 
or outsiders are liable to commit more cybercrimes, we should firstly consider the question of 
which group are more likely to do it and which group are more likely to be caught. Insiders 


surely coincide in both of situations: insiders commit it and they are caught. Therefore, 





'89 In different studies, the term “insider” is defined differently. In Randazzo and co-workers (2004), 
insider was defined as including “current, former, or contract employees of an organization.” 
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everyone knows that insiders pose greater threats, and outsiders are exempted from 
reprimand. Furthermore, it is more efficient for the law enforcement to reveal an inside 
misuse than an outside attack, they are rationally more likely to pay more attention to the 
current and previous employees. Incidents involving outsiders and or international actors will 


more likely to be disregarded at first glance. 


6.4 Individuals versus groups and organizations 


The social actors can roughly be classified into two categories, natural individual actors 
and corporate actors (Coleman 1990). The classification has been used to categorize 
criminals into individual criminals and corporate criminals, for example, Sutherland (1949), 
Alvesalo and Laitinen (1994, pp. 11-66), etc. 

The subjects of cybercrime -in this case the perpetrators- are as complicated as those of 
traditional crimes. We can touch further beyond the ideal typology for a combination of 
individual persons. First, individual persons act independently, in which case the perpetrator 
should necessarily appear on the scene. 

Second, individual persons act separately, but dependently, for example in cases of 
mobs and other collective actors, in which the actors necessarily appear on the scene, and 
their absence is exceptional. 

Third, individual persons act together. They are dependent, interrelated, and coordinated 
as in the case of organized crime. They do not necessarily act physically in person. When an 
offence is committed, some are on the scene, while some are not, for example, the organizer 
of the crime. A collective presence is optional. 

Fourth, individual persons act together. They are dependent, interrelated, coordinated, 


but not necessarily physically in person. A collective presence is exceptional. 
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Corporation 





Figure 5 The Forms of Criminal Actors and the Preventive Units Designed against 
Them 


Notes: 
The first two types are non-organized. The latter two types are organized. 


The first three types are illegitimately combined. The last type is legitimately combined. 


As Figure 5 illustrates, an individual belongs to a single non-collective class. However, 
the individual also belongs to the group of the non-organized class. Furthermore, the 
individual, group and organization belong to the same non-institutionalized class. The 
organization and corporation both belong to the organized class, but the corporation is further 
located in the institutionalized class. In addition, the criminal group and criminal organization 
are both criminal collectives, being illegitimately formed. The corporation is formed 
legitimately. 

Extending the discussion a little further. The individual is directly linked to the family. 


Group is usually beyond one family, but is limited to the neighbourhood. Organized crime 
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has a broader range of influence, that is, the community. These three units can play important 
roles in crime prevention against the individual, group, and organized crime both separately 
and together. A corporation is established by the authorization of the state, and the primary 
prevention unit should be the public sector. 

As Kelly (2002) has summarized it, cybercriminals may be those who shift from 
traditional crime into a new world, discontented personnel, cyber adventurers, and cyber 


: : 190 
spies and cyber warriors. 


It is reasonable to claim that these individual criminals, 
corporate criminals, and particularly, a criminal organization all have the tendency to extend 
their criminal activities into cyberspace. Sometimes even cyber mobs will act against law and 
order in cyberspace. 

In the case of natural persons, the social status, age, and education background of 
computer criminals cover a broad range. They may be “students, amateurs, terrorists, and 
members of organized crime groups” (UNCJIN 1999, Paragraph 32); or people with varied 
skills, knowledge, resources, authority, and motives (Parker 1998); and people with different 
levels of skill in formal education, social interactions and use of computer systems (Parker 
1998). Particularly, virus writers also “vary in age, income level, location, social or peer 
interaction, educational level, likes, dislikes and manner of communication.” (Kabay 2001) 

If we say that cybercrimes by individuals have already run rampant, organized 
cybercrime, cyber terrorism, and cyber laundering will be even greater emerging threats to 
the networked information society. 

The 9/11 attacks on the U. S. raised great concern about organized cybercrimes, cyber 
terrorism and cyber laundering. Although many commentators have made efforts to define 
organized crime, Feldman (1993) has identified three key features of such organizations: 
making money as the goal; corrupting the police and public officials; and being a family 
business (p. 16). In this sense, no organized cybercrime has ever been reported in real life. 
Although organized cybercrime can be regarded as falling within the domain of actions of 


natural individual criminals, it has such particular properties that it deserves a special inquiry. 





' Kelly (2002) stated that: “Perpetrators can be from the traditional criminal world exploiting the 


power of the new tool, disgruntled employees using their inside knowledge, the curious and 
thrill-seekers treating the medium as a challenge and those engaged in industrial espionage and 
information warfare.” 
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Information systems have dual roles, being a critical infrastructure of society and 
potential targets for crimes; and being the means as the communications system and being the 
route that facilitates electronic-money laundering. A growing concern is that the organized 
crimes and cybercrimes are increasingly interwoven. Bequai (1979b, p. 201) stated: 
“Organized crime now operates with impunity and the knowledge that it enjoys de facto 
immunity from prosecution.” The computer systems is infiltrated by organized crime (Bequai 
1983, pp. 55-69), becoming its tools to operate drug trafficking, gambling, loan sharking, 
theft of cargo, prostitution and bootlegging of cigarettes, labour racketeering, coercive 
practices, and economic crime (p. 59). Everything that traditional organized crime has been 
doing can now possibly be done with the help of information systems, which play different 
roles in offences. 

The ways in which international organized criminals exploit information systems, 
including making obstacles by technical means to escape official investigations, raising funds 
through cyber offences, using online services in money laundering, publishing online 
advertisements, and realizing trans-border money laundering through electronic banking and 
commerce systems (Lilley 2003, p. 117). Williams (2001) identified that criminal groups are 
using the Internet in property crimes, white-collar crime, and money laundering, and the 
organized crime groups that use the Internet for communications and for any other useful and 
profitable purposes. 

Most cybercrimes are not necessarily organized; however, organized forms of 
cybercrimes have greater threats than unorganized forms. Organized crime simply means a 
crime that is committed by organized perpetrators. In the case of cybercrime, there are some 
forms of offences like organized crime, but in practice, they are merely individual crimes. 
For example, distributed denial of service attacks are launched from compromised computers 
distributed in different locations. These computers can be “organized” by one or more 
persons. However, the crime in which “organized” computers are used as tools does not 
necessarily form an organized crime. 

The U. S. Department of Justice (2002) reported an organized software piracy case. 
According to the report, the DrinkOrDie online software piracy group was specialized in 
acquiring and cracking new software and releasing cracked software over the Internet. The 
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leader and about 65 members from more than 12 countries in the group adopted a 
hierarchical organizational structure, grouping members according to their different functions 
(U. S. Department of Justice, Press Release, 17 May 2002). 

In considering the problem of organized crime, the UN Convention against 
Trans-national Organized Crime should not be ignored. The Convention defines organized 
criminal groups as “a structured group of three or more persons, existing for a period of time 
and acting in concert with the aim of committing one or more serious crimes or offences 
established in accordance with this Convention, in order to obtain, directly or indirectly, a 


financial or other material benefit.” !”! 


For how long a period of time the group exists has not 
been clarified in the Convention, while serious crime means a crime punishable by at least 
four years of imprisonment. 

Although there is increasing concern on cyber terrorism, the understanding of what 
cyber terrorism constitutes is unclear. Generally, it is a concept that is comparable to 
traditional terrorism. Many characteristics can be induced from the concept “terrorism”; 
however, the most significant factors may be political motivation, violent effect and fear 
creation. The following two definitions prove that these respects are also critical in 
identifying “cyber terrorism”. The FBI’s definition of cyber terrorism has emphasized the 
political motivation and the violent effect in an attack on information systems: 

“The premeditated, politically motivated attack against information, computer systems, 
computer programmes, and data which result in violence against non-combatant targets by 
sub-national groups or clandestine agents.” (Pollitt 1997, Cited in Robert 2004, p. 124.) 

The U. S. National Infrastructure Protection Centre’s definition has focused more on the 
fearful effect of such an action, among many other harms: 

“A criminal act perpetrated by the use of computers and telecommunications capabilities, 
resulting in violence, destruction and/or disruption of services to create fear by causing 
confusion and uncertainty within a given population, with the goal of influencing a 
government or population to conform to a particular political, social or ideological agenda.” 
(Garrison and Grand 2001, p. 2) 


As Weimann (2004, p. 6) claimed cyber terrorism becomes an attractive choice for 





'°! The UN Convention against Transnational Organized Crime (A55/383, 2000), Article 2. 
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contemporary terrorists for several reasons. It is cheaper, more anonymous, aiming at a more 
enormous target and number of targets, remotely conducted, and affecting a larger number of 
people worldwide. International society has hardly implemented any countermeasures against 
traditional terrorism in the last few years. At present, further actions should be taken to 
respond to the rising threat of cyber terrorism. However, from lack of practical cases, cyber 
terrorism remains a theoretical assumption and a supposed or partial threat. Scholars, 
politicians and mass media tend to connect terrorists with information systems, but these 
efforts appear feeble since the fact that the terrorists are still able to utilize the traditional post, 
transportation, and courier. As Harvey (Financial Times, 3 December 2003) pointed out, 
cyber terrorism remains an unimportant matter. Me 

Theorists of the early 2000s overemphasized the problem of cyber terrorism for several 
reasons: Firstly, the panic caused by the previous century’s Asian financial crisis continued in 
the uncertain new century. Secondly, the denial of service attacks against web sites during 
this period seemed to portend the possibility of the collapse of information systems and the 
information economy. Thirdly, for the mainstream American theorists and law enforcers, the 
9/11 attacks on the U. S. were interpreted as a strange hint that cyber terrorism could also 
cause similar casualties in which thousands of people lose their lives. Fourthly, 
eschatological ideas still dominated the brains of most people in considering that the end of 
the world may be expressed in the form of end of the society, in particular, the information 
society. 

The research on cyber terrorism is primarily for the purpose for raising the awareness 
and preparedness of the authorities (because once occurring, cyber terrorism should be dealt 
with at the first moment by the authorities), the legislature, politicians (because it is 
politically motivated) and the general public (because it is assumed that the general public are 
the most frequent victims, even if the attack is targeted at a certain person, building, vehicle, 


or certain part of information systems). 





' The present wars on real world terrorism being continued, critics revealed that the wars are based 


on “selfish” politicians’ distortion and exaggeration of the threats posed by terrorism. See Stewart 
Nushbaumer, The Abuses of 9/11, 2002. Retrieved 15 March 2007, from 
http://www.911digitalarchive.org/collections/reports (saying that the wars were being exploited by the 
forthcoming party elections); DeBose (2004); O'Brien (2004) (saying that the so called war on 
terrorism included “inexcusable misrepresentation’’). 
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6.5 Juvenile cybercrime 


A noteworthy phenomenon is that, regardless of individual cybercrimes, or corporate 
cybercrime, young perpetrators play a critical part. Although there is no age limit for 
committing the cybercrime, as there is for traditional crimes, young people constitute an 
important part of the cybercriminals. As Shannon (1993, p. 2) reported, cybercriminals 
usually tend to be between the ages of 14-30, they are usually bright, eager, highly motivated, 
adventuresome, and willing to accept technical challenges. The age of criminal responsibility 
is prescribed differently between various countries. In most countries, children under 14 or 
15 years of age are not liable for a criminal offence, while children between 15-17 or 14-16 
years of age are liable for a limited range of offences.'** In fact, juveniles commit a number 
of these crimes. In China, people between the ages of 19-40 constitute 80 percent of the 
Internet users, and the average age of the cybercrime perpetrators is 23 years old (Dong 
2003). Juvenile delinquency and juvenile justice became issues closely associated with 
cybercrime. According to Howitt (2002), the reason why children are more likely to commit 
crime is not that more and more children will commit crime, but that most of the potential 
offenders will commence to commit crime in childhood and continue their criminality for 
much of their lifetime. After 16-17 years of age, the offending rates decreases to a plateau (pp. 
76-77). Through empirical studies, the following reasons show why juveniles have a greater 
tendency to commit more cybercrimes: 

(1) People of different age groups use computers and networks in a different 
environment. Adults usually use computers and the Internet at work. When they go home 
after work, they have to do housework, take care of children, or are engaged in sports and 
recreation. The youths, including young couples without a child, use computers and the 


Internet at any time, and for a long time everyday. For example, about 57.9 percent of the 





' For example, in China Penal law, children under 14 years old of age are not liable; in Finish Penal 


law, the age limit is 15. In some other countries, the age of criminal responsibility is even lower. In 
England and Wales, the age is 10 years, while the there is a partial criminal responsibility between 
10-14 years of age. 
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Internet users are unmarried (China National Networks Information Centre, Statistical Survey 
on the Internet Development in China 2006, pp. 14-15). Many of them are not employed. In 
addition, some of the employed also use computers and Internet for many hours in their spare 
time. Students and employees in enterprises constitute 64.8 percent of the Internet users (ibid., 
p. 16). Youths use computers and the Internet for purposes of education, communication and 
recreation. Chatting and gaming are the commonest forms of online activities. Offline dating 
with online mates has become popular. Of the 111 million Chinese Internet users in January 
2006, about 16.6 percent are under the age of 18, about 35.1 percent are between 18 and 24, 
about 19.3 percent between 25-30, about 11.6 percent between 31-35, about 7.1 percent 
between 36-40. Users older than 41 account for only a little more than 10 percent (ibid., pp 
12-13). The U. S. Census Bureau surveyed households with computers and Internet access by 
householder age. The findings indicate that the 35-44 and 45-54 age groups have the highest 
penetration, more than seventy per cent own a computer and over sixty-five percent had 
Internet access. The survey found that the critical factor in determining whether a household 
had a computer or Internet access was the presence of a school-age child.!** 

A similar characteristic has also been found in Finland where one parent or two parents 
with children have access to the Internet at home with a higher percentage (Nordic Council of 
Ministers 2005, p. 39, Table 2.2). In all of the Nordic countries, the age groups of 25-34, 
16-24, 35-44, and 45-54 have the higher penetration percentage (ibid.). This increases the 
opportunities for harming others and the probabilities of being victimized. 

(2) People of different age groups have different interests in using computers and 
networks. The adults devote themselves more to profession and family, apart from the fact 
that their energy and interests are more concentrated on issues of greater concern. Youths are 
neophiliacs, with sharper curiosity and passion for an unknown field, and more hobbies. 
According to the Nordic Council of Ministers (2005), with an increase in age, the use 
purposes of the Internet declines. Youths use the Internet in noticeably more varied ways than 
elderly people do. Sixty percent of people under 30 years of age and exactly 14 percent of 
people from 60 to 74 years of age find at least eight purposes to use it (Nordic Council of 


Ministers 2005, p. 36). The Mentor, the author of “the Hacker Manifesto” confessed that: 





' U.S. Census Bureau, Computer and Internet Use in the United States: 2003, published in 2005. 
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“Mine is a world that begins with school... I'm smarter than most of the other kids, this crap 


they teach us bores me...”!?° 


The youths are also prone to addict themselves to computers, 
the Internet, and virtual reality. The Mentor described that: 

“And then it happened... a door opened to a world... rushing through the phone line like 
heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day 
incompetence is sought... a board is found.”!”° 

The share of virtual life in their daily life is increasing, at the share of real life decreases. 
To the extent the youths spend more time in cyberspace, the bigger the probability is that 
they involve themselves in online illegal activities (besides legal ones). 

(3) People of different age groups have different structures of knowledge, techniques 
and skills on computers and networks. The adults generally grasp the knowledge, techniques 
and skills for their occupational use. This does not exclude that they were ever good at 
pre-Windows operation systems and interfaces, for example, MS DOS, etc. However, adults 
have less intention of exploring the higher techniques and skills on computers and Internet, 
particularly those irrelevant to their profession. The young people are motivated by their 
curiosity and engaged in “learning-trying”. They are willing to try either useful or harmful 
content, programmes, messages or activities. They easily act in a way that sometimes 
generates a legal concern. 

(4) People of different age groups have a different legal consciousness and sense of 
social responsibility. The adults are more socialized and have a higher level of legal 
consciousness and stronger sense of social responsibility. They are not willing to harass 
others or disturb the public. Youths are in the process of being gradually socialized, with 
lower level of legal consciousness and a weaker sense of social responsibility. In practice, 
many juvenile cybercriminals are not conscious of the nature of their harmful activities. They 
think more about themselves than about the public, more about process than about result, and 
more about the power of technology than about the negative influence. They just do not 
recognize the harmfulness of their dangerous behaviour before they attract the attention of 


the law enforcers. 





‘95 The Mentor, The Hacker Manifesto, 8 J anuary 1986. 
196 =); 
ibid. 
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(5) People of different age groups have a different risk calculation and expectations of 
costs in deciding whether to carry out cybercrime. Adults who have their stable professions, 
families, reputation, and social status are not likely to carry out more risky and more costly 
activities, particularly harmful hacking. They feel they can only benefit far less from illegal 
activities than engaging in legal activities, and thus have less incentive to hack. If they 
commit this kind of act and are caught, their losses will be great and in a broad range. The 
possible result deters them from acting with a negative social and legal evaluation. Young 
people generally have a less stable social status and less to lose if they are caught for hacking. 
Their incentive to hack is surely bigger than adults are. 

(6) People of a different age group hold different attitudes toward crime. Adults have 
more mature thinking about criminal phenomena. The harmfulness and risk of crime have 
impressed them to stop before crime at every moment. Youths are not as mature as adults are 
and are less capable of controlling their enthusiasm. The temporary impulsion usually results 
in irrecoverable activities. 

(7) People of different age groups demonstrate different fluidity. The personality 
development of the adulthood is characterized by stability: “stability is the rule.” (Smith 1998, 
p. 397) Adults are apparently more stable than youths in employment, families, social status, 
and reputation. The youths are in a situation of development and usually move from here to 
there. During this process, they are easy to have more spare time alone. Due to lack of 
acquaintances, they take part in traditional social activities less but in online interactions 
more. In particular, in regions in the process of urbanization, the existence of latch-key 
children provides an incentive for private enterprises to operate premises for access to 
network services and games, these becoming largely uncontrolled places so_ that 
undisciplined children engage in unmonitored activities. 

(8) People of different age groups hold different attitudes toward fortune and fate. 
Adults have more life experiences and social knowledge, and are more aware that criminals 
can escape punishment temporarily, but that mostly they will be caught and punished later. 
Young people have a more unreasonable imagination of being able to escape from law 
enforcement, particularly when computers and the Internet provide such an indirect way of 
carrying out a criminal scheme. 
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(9) Criminal-victim relations are easier to establish between online users. Because 
youths tend to use computers and the Internet in a more frequent way, both cybercriminals 
and cyber victims tend to be people inside this age group. The same rule can be applied to 
organizations. Although it is unfeasible to measure the age of an organization, the ages of the 
personnel may serve as an indicator of the online business of this organization. If a company 
is owned or managed by youths, it is more likely to engage in some kind of online business, 
and more likely to be victimized as well. 

(10) Young people more easily escape arrest and punishment than adults are. This does 
not mean escaping in the physical sense, that is, “to run”. Rather, young people are less stable 
and fixed in terms of social status, and may have better chances of avoiding arrest by moving 
from one place to another, without further responsibility for employment or family (if they 
are not employed or married). 

In sum, youths may have more chances for access to computers and the Internet and are 
more likely to commit cybercrime. Certainty, they more easily harm others and are 


themselves more easily victimized. 


6.6 The subjective aspects of cybercrime 


Cybercriminals have a multiplicity of motives. The prolific functions and services of 
information systems create diversified incentives for their users to commit crimes. Criminals 
can be satisfied physically or psychologically through various online offences. As I have 
summarized the matter in the last chapter, cybercriminals can be motivated by a broad scope 
of internal driving forces. Cybercrime becomes an attractive industry for those who are 
seeking profitable opportunities. 

The perpetrators do not have a particular sense of guilt. The absence of the traditional 
crime scene and the remote control of the process render things different from the traditional 
crime scene. Technological involvement makes the process of most cybercrimes less violent. 
This results in a reduction of ethical and legal responsibility and of psychic cost, and creates 
an incentive to start, continue and repeat the offences. 
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The perpetrators depend more on fluky elements. As will be discussed in depth in 
Chapter 7, information systems provide chances for criminals to conceal their criminal traces 
and make it difficult for them to be discovered. The easy escape from moral pressures and the 
difficult detection process lower the psychic cost and increase the psychic sense of security. 
As the Hacker Manifesto stated that: “You may stop this individual, but you can’t stop us 
all ...”!°’ The deterrent effect of punishment on the cybercriminals is in turn reduced. More 
potential perpetrators are thus encouraged to participate in unlawful online activities. 

Furthermore, the Internet creates a space where people are not meeting face-to-face, but 
meeting mind-to-mind (Hagerty 2000, p. 181). The cyberspace facilitates a new style of 
interpersonal interaction that develops through the mediation of machines beyond the physical 
appearance of the participants. However, minds under this easy sense of falsification can only 
develop a vulnerable relationship and expose potential victims. E-mail frauds and viruses are 
a source of exploitation harvesting from the blind trust of remote recipients, enmeshed in the 
so-called social engineering structure. In Tektrol Limited v. International Insurance Company 
of Hanover Limited and Great Lakes Reinsurance (UK) Limited, !”° an attachment of an 
e-mail purported by a Christmas card from a trustworthy source was activated by the recipient 
and erased system files on the computer causing it to cease functioning, and more seriously, 


erased the source code that the recipient company developed.'” 


6.7 The motives of cybercrime 


As discussed in Chapter 5, cybercriminal behaviour affects many scientific disciplines. 


In research on cybercrime, the term motivation is used in a broad sense, and is usually 





7 The Mentor, The Hacker Manifesto, 8 January 1986. 
8 [2004] EWHC 2473 (Comm), No. 2003 folio 940. 
. The court noted that: 

“The virus author had no knowledge of or connection to the Claimant or its source code. 
Although he did not specifically intend to erase the Claimant’s source code, he intended the virus 
programme to spread around the world and knew that whenever the virus programme was activated by 
the opening of the ‘Christmas card’ attachment, computer data could be erased on the computer 
concerned.” 

ibid, appendix, assumed facts for the preliminary hearing, Paragraph 20. 
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interchangeable with motive. Motives are nothing more of a mystery than the wants and 
wishes the goal-directed activities endeavour to gratify (Smith 1998, p. 422). A strict 
distinction cannot be made between these two words. Therefore, Maslow’s “need hierarchy,” 
which lists need in a order of priority as physiological needs, safety and security needs, 
belongingness and love needs, esteem needs, cognitive needs, aesthetic needs and need for 
self-actualization (Maslow 1954), is not consistently relevant with the analysis here. The 
forces behind the individuals’ decisions to commit cybercrimes are different from one 
another. In understanding cybercriminal behaviour, we have to recognize psychic benefit in 
some cases and for some people. Although it is difficult to find a motive behind a cybercrime 
(Philip 2002), many different studies and research have drawn diversified conclusions on the 
classification of the motivations. According to Jordan (1998), there are six common beliefs 
among hackers: addiction, curiosity, thrill of information searches, ability to access, peer 
recognition, and identifying security loopholes. Maiwald (2003, pp. 36-38) concluded that 
hacker motivations could be divided into three categories, including the search for challenge, 
greed, and malicious intent or vandalism. Kiger and co-workers (2004) have summarized the 
motivations of cybercrime as money, entertainment, ego, cause, entrance to social groups, 
and status. Pipkin (2002, pp. 17-28) proposed that hackers may hack from an intellectual 
motivation, such as educational experimentation, harmless fun, as a wake-up call; personally 
motivated, such as disgruntled employees, cyber-stalking; socially motivated, such as 
cyber-activism; politically motivated, such as cyber terrorism, cyber-warfare; financially 
motivated; and motivated by the ego. Kremen (1998) classified hackers into ten types, 
including curious hacker, thrill seeker, the person who wants information about computers 
and their flaws, power seeker, vandal, the person who steals industrial information, secrets 
and/or intellectual property, the person who steals money, the person who performs industrial 
espionage, terrorist, and international spy (see also Section 4.9.2) 

In fact, the motives of cybercrime vary in a way that is beyond the imagination. If we 
say that many cybercriminals have the similar motives, we can also say that nearly every 
perpetrator has his or her own. Bequai (1983, pp 44-45) has summarized 17 different kinds of 
motives that propel the potential perpetrators to take the risk of committing computer crime. 
This section will identify and discuss 29 kinds of the commonest motives, without 
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deliberately avoiding coincidence with the different lists created by previous scholars. 
(1) Pursuing information freedom 

A free flow of information is a requirement for ensuring the free movement of goods, 
persons, services and capital.°”” In cyberspace, people who hold the view that the Internet is 
a public place, and thus everyone has the right of obtaining information, are not rare. Under 
the dominance of the hypothesis of information freedom, many information systems users 
take the risk of breaching others users’ privacy and trade secrets. Levy (1984), Selwyn and 
Gorad (2001), and Himanen (2001) have shown that many traditional hackers are motivated 
by a belief in the freedom of information. These hackers have insisted that all the useful 
information must be freely copied, distribute, studied, changed, and improved, but their 
ethical code prohibits destructive activities against any information.”’' What is problematic 
is that unauthorized access to confidential data has been criminalized, even in pre-computer 
times. If e-mail is comparable to a letter, and if free information advocators can freely open 
e-mail, a natural conclusion will be that everyone can destroy mailboxes and open letters. 
The only difference is that the present files exist in digital form. Access to confidential 
information is punished by laws penalizing offences infringing privacy, intellectual property, 
trade secret, and state secret. Therefore, the freedom of information is limited to information 
that is granted free access but access is not free to information that is limited. The other end 
of the free flow of information is the safeguard of the fundamental rights of individuals.”” 

(ii) Achieving ego expression 

Hackers also have the possibility of hacking for the sake of their ego, for proving a self 
that is different from the selves of others. Perpetrators in this category are usually frustrated in 


social competition elsewhere and seek an opportunity to compensate by employing their 





°° Directive 95/46/EC, Preamble (3). 

°°! See Branscomb (1990). The focus of the hacker ethic is on the freedom of information. The hacker 
ethic was initially created by the MIT hackers in the late 1950s to the late 1960s and articulated by 
Steven Levy in his book “Hackers: Heroes of the Computer Revolution.” The general creed includes 
the following aspects: “1. Always yield the Hands-On Imperative! Access to computers-- and anything 
else which might teach you about the way the world works-- should be unlimited and total. 2. All 
information should be free. 3. Mistrust Authority-- Promote Decentralization. 4. Hackers should be 
judged by their hacking, not bogus criteria such as degrees, age, race, or position. 5. You can create art 
and beauty on a computer. 6. Computers can change your life for the better.” See Logik Bomb, 
Hacker’s Encyclopedia, Second Revised Edition, 1997. 

°° Directive 95/46/EC, Preamble (3). 


187 


computer techniques. Through success in surrendering to information systems, they supersede 
others in hacking techniques and skills, even though they have an apparent inability that leave 
them incompetent with others in social activities generally. Yan and Zhang (Beijing Youth 
Daily, 6 November 2001) have reported the case where a 17-year-old hacker intruded into an 
official human-resources web site, defaced the homepage, formatted the hard disk of the 
server, and destroyed a great deal of data. It was reported that during his sick leave at home, 
the hacker had picked up his hacking knowledge from the hackers’ web sites, and 
downloaded some hacking programmes. Then he found some web sites with security holes 
and intruded into them. At first, he sent messages to the administrators of these web sites, 
telling them that their web sites had loopholes. Without receiving any reply, he got angry and 
defaced some of these web sites (Yan and Zhang 2001). 

(iii) Challenging technical difficulties 

Technical challenge has been long identified as a motivation. Pipkin (1997) regarded 
challenge as the biggest motivation, meaning that the hacker is excited after succeeding in his 
attack on most secure systems. In one case, a hacker created a Trojan programme named 
IPXSRV, and gained control of 60,000 computers. He manoeuvred this colossal “botnet?” 
to launch denial of service attack against a music web site for three months before the police 
detected it. Investigation revealed that the hacker had been seeking a chance to try the power 
of his Trojan programme, and chose this web site as a target of denial of service attack. As a 
result, the web site was broken down for three months (Secretchina 17 March 2005). 

(iv) Seeking knowledge 

Cybercrime motivated by a desire to seek knowledge is not rare in practice. Jordan (1998) 
reported the motivation of Kevin Mitnick, the most famous of all hackers was to gain 
knowledge, seeking a better understanding of information systems. 

Many computer and Internet users are motivated to acquire knowledge from the devices, 
information and new space. Both hardware and software are the targets of their 
knowledge-seeking attempts. Hackers are seeking knowledge through access to others’ 


computers by fair means or foul. “The Hacker Manifesto” clearly expressed the motivation 





*°3 Botnet is “a collection of compromised computers controlled by the same intruder, often [using] 
remote control software or Internet Relay Chat (IRC) services.” Daintith (2004), p. 56. 
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behind hackers of this kind. It stated that cyberspace was a world of “the electron and the 
switch,” and hackers were called criminals due to their use of the services without paying 
during their seeking after knowledge motivated by curiosity.” 

(v) Testing system security and resilience 

Technical primacy is one of the most important answers to the question “what do 
hackers hack for?” The common sense knowledge about the attacks is that hackers identify 
flaws in systems or software, to allow the developers or the administrators to fix them (See 
Branscomb 1990, p. 24). For example, Brian West used MS Front Page and a web browser to 
identify a security flaw in some web sites that allowed him to have access to proprietary 
information and password files (See U. S. Department of Justice, Press Release, 24 
September 2001). Hacking for security may be quite the same to hacking for insecurity: on 
the one hand, the unauthorized intrusions into the protected systems are illegal; on the other 
hand, the publication of security flaws also poses a real danger for the systems. 

In addition, some physical damage to information systems is also possible when testing 


> one of the 


the resilience of factors under operating conditions. For example, in R. v. Feltis,”” 
explanations of the accused about why he had apparently sabotaged the company's computer 
was that he had been testing the computer, and particularly its resilience to interference, by 
disconnecting two cables and reconnecting them, as a result of which an impairment of the 
computer was caused and an enormous disruption of the business of the company occurred. 

(vi) Adventuring risky online activities 

Traditional adventurers have sought psychic satisfaction from conquering things others 
have seemed unable to do, and during which they overcame unimaginable difficulties. The 
modern adventurers have also found challenges in the field of technology, from 


telecommunications, computers to the networks. The ability to influence huge systems may 


be satisfying in and of itself.”°° Activities, either benign or malicious, on the “electronic 





204 The Mentor, The Hacker Manifesto, 8 J anuary 1986. 

*°° [1996] EWCA Crim 776 (19th August, 1996). 

0 See Ministry of Justice (1985), p. 206; Howerton (1985), p. 54; the United Nations Crime and 
Justice Information Network (1999), Paragraph 74; Schwartau (1994); Branscomb (1990), p. 24; 
Grabosky (2000). Creator of Melissa Computer Virus said that he constructed the virus to evade 
anti-virus software and to infect computers using the Windows 95, Windows 98 and Windows NT 
operating systems and the Microsoft Word 97 and Word 2000 word processing programmes. See 
United States v. Smith (D. NJ) 2 May 2002. 
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frontier” involve the factor of adventure, that is to say, to explore the unknown (Grabosky 
2000, pp. 2-3). What Donn B. Parker called the personification of computers (Parker 1998) is 
also such a motive. Sophisticated viruses indicate that writers who believe that their works 
contribute to the development of science and technology have created them (Kabay 2001). 

Adventure is closely associated with the conception of curiosity. Under the drive of 
curiosity, considerable examples of such curious intrusions have happened, which had 
catastrophic effects (Howerton 1985, p. 54). 

Adventure is not always a simple motive that can be explicitly identified. Sometimes, it 
is closely related to other motives, and in other cases, the adventure motive may be 
ambiguous. According to The Associate Press (19 March 1998), when the hacker, who called 
himself “The Analyser”, and launched an attack against the Pentagon's computer systems, 
was identified by the U. S. Department of Justice and questioned by a special police 
anti-hacker unit, the chief administrator of the country from where the 18-year-old boy came 
praised him: “Damn good, very dangerous, too.”””’ Soon after the incident, the hacker was 
drafted into the national army to serve in an information warfare division, an assignment 
which utilized his computer talents.””° 

(vii) Trying programming skills 

In contrast to testing hackers who try to identify flaws in computer systems, 
experimental hackers try to reveal the functions of hacking programmes. Whether the 
systems are secure or not is irrelevant. Actual intrusion into the systems is only an occasional 
result. Many Internet users did experiments of this kind with software downloaded from the 
Internet, or programmes compiled by them, and sometimes no actual intrusion succeeded. 
Relatively unprepared and unintended, experimental hackers are usually the “first offender’. 
Their purpose is to test the function of intrusion programmes or techniques, during which 
they accidentally succeed in acquiring unauthorized access to the systems. 

(viii) Tentative attacks 

Tentative hackers are similar to experimental hackers in the way that they are unprepared 


intentional intruders. Nevertheless, a distinctive point is that tentative hackers try to use 





aes Pentagon hacker Wins Praise, Associated Press, 19 March 1998. 
208 Israeli Teen Hacker Details Prowess, Associated Press, April 1998. 
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hacking programmes or intrusion techniques. Whether the system is secure and whether the 
intrusion is successful are both irrelevant considerations. For example, some users operate 
password-cracking programmes to access others’ encrypted information. Internet users 
sometimes also try to guess other users’ account ID and passwords so as to enter their 
systems. 

(ix) Expression of hatred 

Hatred may come into being for a variety of reasons. Dissatisfied employees damage 
their employers’ assets. Dissidents are motivated to destroy the states’ critical infrastructure. 
The hacktivists, anarchists, and terrorists all launch attacks against targets regardless of their 
nature. Generally, hatred leads to attempt to weaken the counterparts’ social priorities. 
Examples include ruining computer systems;~” destroying information (Howerton 1985, p. 
55); revealing confidential data (Grabosky 2000, pp. 2-3); and defacing abhorrent web pages 
(Grabosky 2000, pp. 2.-3). 

Envy may also lead to hatred. In cybercrime, attackers commit sabotage due to envy of 
others’ wealth, competitors’ success, and colleagues’ achievements. 

(x) Hacking for financial gains or avoiding payment 

Not only has information itself value, but information systems are also used widely in 
the financial sector (Parker 1998). Because the function of the computer in accounting 
enables a wide use of computers in financial management, embezzlement has been made 
easier by numerous methods (Howerton 1985, p. 54). These methods may include 
information selling without the right to do so; extorting from the victimized organization; 
embezzling from employers; illegally obtaining information to sell to competitors; electronic 
theft of credit-card numbers; and stealing personal information to impersonate someone 
financially (Ministry of Justice 1985, p. 206). 

The perpetrators steal, swindle, embezzle, and blackmail property in order to maintain a 


livelihood, seeking ease and comfort, repaying gambling debts (Parker 1998), or avoid 





°° For example, in prosecuted cases such as United States v. Garcia (C. D. Cal.) 23 February 2004; 
United States v. Diaz (S. D. Fla.) 5 December 2003; United States v. Patterson (W. D. Pa.) 2 December 
2003; United State v. Lloyd (D. JN) 26 February 2002; United States v. Ventimiglia (M. D. FL) 20 
March 2001; United States v. Sullivan (W. D. NC) 13 April 2001; United States v. McKenna (D. NH) 
18 June 2001. 
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payment. In Morgans v. Director of Public Prosecutions,”'” the accused used the telephone 
line to acquire unauthorized access to the computer systems of several different companies, 
thus obtaining telecommunication services without payment. In the face of deliberate 
financial hackers, even the most secure systems on the Internet are meeting universal threats. 

In fact, financial hacking is not always as sophisticated as imagined by the public, for 
sometimes hackers may be the software provider. This is a serious threat for the banking 
system. 

(xi) Hacking for educational reasons 

This kind of hacking is the unauthorized use of the systems for educational purposes. In 
the early stage when computer hardware, software, and network services were expensive, they 
could only be obtained by a limited number of big organizations and universities. Many 
hackers tried to use the system for educational purposes without permission. Nevertheless, 
with the development of less-bulky, low-cost personal computers, this kind of educational 
hacking has become history. 

(xii) Changing academic results 

University students hack for better scores or grades in academic records. In August 1977, 
officials at a large university in the U. S. uncovered a scheme involving payments by students 
who wanted their grades altered in the school’s computer centre. Investigators found that 
several thousand dollars had been paid to a university employee who made changes on grade 


211 From then on, 


cards that were later used to make entries in the university’s computer. 
dozens of students in the U. S. have been caught hacking into school computers to give 
themselves better grades. In one case, nineteen students were suspended after being accused 
of knowingly involved in electronically changing their transcripts. Seven other students were 


told their grades were altered. Nevertheless, this was apparently done without their 


knowledge.*!” 





710 [2000] UKHL 9; [2000] 2 All ER 522; [2000] 2 WLR 386; [2000] Crim LR 576 (17th February, 
2000). The conviction was overruled due to the matter of obtaining the evidence, which was obtained 
through the installation of an interception device into the telephone line of the accused. 

*!! Lehigh University Uncovers Payment to Alter Grade of Student, New York Times, 1 September, 
1977, A-18. 

*I2 ©. Anderson, Hacking the Grade, Originally Aired, 3 September 2002. Retrieved 15 March 2007, 
from http://www.techtv.com/cybercrime/internetfraud/story/0,23008,3396685,00.html 
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(xiii) Harassment and murder 

Internet harassment can occur in nearly every Internet service to direct obscenities toward 
others, and make insulting statements based on gender, race, religion, nationality, or sexual 
orientation (Kelly 2002). In offences where information systems are used as means of 
committing verbal assault, threat, harassment, alarming, spam and fraud, the motivation of the 
perpetrator is to harass and to kill the victim. The function of the Internet as a means of 
communications and with a high anonymity of interaction often entraps the victims into 
unforeseeable dangers. In 2005, China Ministry of Public Security investigated 1,000 
assassination cases, in many of which the criminals found the potential victims through the 
Internet (Yi 2006). In many criminal cases, stalkers and murderers find and entice victims 
through the communication and interaction of various Internet services. 

(xiv) Launching political movement 

For many years, defence forces, governments, and even computer companies have been 
popular targets for sabotage attacks. According to Daler and co-workers (1982), political 
groups in France repeatedly damaged computers, asserting that computers were the favoured 
tools of those who dominate. Italy, the former West Germany, the U. S., the U. K., Japan, and 
the Scandinavian countries have experienced sabotage as well, with both the old- and 
new-fashioned attacks on malicious programmes (Daler and co-workers 1982, pp. 24-25). 

Political hacking also formed an extreme movement: “hacktivism’”. Hacktivists launch 
politically motivated attacks on public web pages or e-mail servers (Vatis 2000). In 1999, for 
example, the homepages for the White House was attacked by political activists protesting 
against the site’s politics.7"° 

(xv) Launching cyber warfare 

People worry that the threat of cyberwarfare will be a future nightmare because hacking 
communities have the ability to launch destructive attacks on computer systems. In recent 
years, a cyberwar was nearly taking place. In 1990, a hacker organization “Legion of the 
Underground” declared war on some countries in retaliation for human-rights violations. 


Several other hacker groups condemned the aggressive act, and soon after, the Legion of the 





713 See U. S. Department of Justice, Congressional Testimony on Cybercrime Strategy, 28 July 2000. 
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Underground retracted their declaration of cyber war.’'* Cyberwafare also happened in the 
initial years of the twenty-first century. Hacker groups became popular in East Asian 
countries during several cyber wars, mostly between hacker groups of different countries due 
to their positional differences on some international affairs. At that time, the relevant 
countries were highly vigilant to potential abuse of computers and networks and invested 
more heavily on information security control. 

(xvi) Carrying out anti-computer actions 

As some people are against mechanicalization, electronization, industrialization, 
modernization, and globalization, others are against the process of computerization, 
informationization and networking. According to Parker (1998), some hacker sympathizers 
describe attacks as justifiable protests or direct action against enemies of the environment or 
of society in general. 

Unabomber represented another kind of anti-computer “hacking”. He carried out 16 
bombings, which, altogether, killed three and injured 23 people. 15 His “Unabomber 
Manifesto” claimed that technological progress brought about undesirable requirements for 
the people, and that the people could stop this situation so as to recover their happier and 
simpler life close to nature (See Kaczynski 1996). Some other activists all over the world also 
destroyed a number of computers to protest against a computer society in which they thought 
that computers were being used to control people.”'® Indeed, they were not hackers in 
cyberspace, but traditional style bombers in real society. 

(xvii) Mimicking cyber Robin Hoods 

Orthodox hackers hack in order to make programmes or information available to others 
free. As a hacker, Maelstrom, stated in an interview that he had never any feeling of moral 
apprehensiveness when he made Internet access accounts available to the public for free 


through hacking (Jordan and Taylor 1998, pp. 768-769). 





*I4 For the story, see Palezewski (2001). For the joint statement, see 2600 and co-workers. Joint 


Statement Condemning LoU Cyberwar, 2600 News, 7 January 1999. Retrieved 15 March 2007, from 
http://www.2600.com/news/view/article/361 

*1° ‘The offences were carried out during 1978 and 1995. As of 2004, Kaczynski was serving a life 
sentence without the possibility of parole in a maximum-security prison in Florence, Colorado. 

*I© The French activist group called CLODO (Comité de Libération ou de Détournement des 
Ordinateurs), committed the offence between 1979 and 1983. 
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Whether some charitable concerns or individuals will also crowd online to hack for 
money is an unanswered question. A hacker initially wanted to test how the security level of 
the mobile communications networks. After he found that he could make money through 
selling the cards with revised passwords, he opened a specific bank account in which to 
deposit the money, a separate account from his own daily-used bank account. He said that he 
did not hack for himself, but for the wellbeing of others. He donated 200 Renminbi Yuan 
(about 20 euros) to a leukaemia patient (Gao 2006). 

Cyber Robin Hoods do not always publicize their intent. But on some web sites, methods 
for counterfeiting money are published. 

(xviii) Practising unfair competition 

In order to enhance competitive capacity, businesses also engage in attacks against 
competitive rivals. In the 1990s, when the Internet economy boomed, many big online 
enterprises secretly attacked the web sites or defame the reputation with each other. Attackers 
benefit from the decline of competitors and from the increase in their own market share. They 
even practice access to each other’s computer systems to obtain business secrets. In the rapid 
development of the information market, such destructive or espionage activities are fatal to 
the victimized enterprises. 

(xix) Practising trap marketing 

Some anti-virus compilers plant computer viruses and other destructive programmes into 
their anti-virus software to force users to purchase the upgraded versions of anti-virus 
software they compile or sell. By doing so, they hope to increase the market share and sale of 
their own products (Jiang and Yu 1997, pp. 18-27). Web sites owners also frequently use this 
trap marketing. Cookies are an example that is widely known and accepted. In malicious 
marketing cases, some web sites infect users’ computers with embedded harmful codes and 
instruct the users of infected computers to visit their web sites repeatedly and to pay for 
cleaning the computer. Other forms of entrapment also include kidnapping computers or 
programmes in order to render the machine repeatedly operating in a way benefiting code 
writers or spreaders. Web browser manipulation is one such abduction that controls the 
homepage, or even the whole browser, and is directed solely to the perpetrators’ web sites. 

(xx) Strengthening self-defence 
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Hacking has also been used for self-defence. For example, in order to prevent illegal 
replication of software, a pair of Pakistani bothers bundled “Brain Virus” into their software 
and attacked Delaware University in October 1987 (Forester and Morrison 1994, p. 93). Their 
idea was that only those who pirated the software would be victimized, the virus being an 
automatic retributive tool. The followers of a religious cult in an Asian country also attacked 
the satellite communications systems as a means of self-defence. The government charged the 
religion with being an “evil cult” and prohibited its practice. In revenge, members of this 
forbidden religion used the Internet to hack several times into the satellite broadcasting 
system, and changed the official TV programmes to video programmes disseminating the 
“truth” about this religion. 

The idea of the above-mentioned “Pakistan virus” is not without descendants. Many trial 
versions of software (or shareware) include similar idea in expressive form. While some of 
the trial versions can work in one way or another after the trial period, other trial versions can 
be completely disabled. For example, a certain kind of operating system provides a 30-day 
trial period, after which the system cannot be operated without registration, which implies a 
process of purchasing. Without the operating system, the computer is simply broken down 
--analogous to an attack launched by a logic bomb, except that it is an “attack” under the 
cover of failure to register after the trial period. 

(xxi) Hacking for recreation 

Both recreation and hacking are exciting. Randall and co-workers (2000) found that 
excitement was a major reason for hacking. Here, hacking has an equivalent function to 
entertainment. Although computing is different from gaming, the computer has a close 
relationship with gaming. Not only are computer and online games prevalent, but the use of 
the computer and the surfing of the Internet may serve gaming instinct. Many users enjoy 
online surfing, interaction and self-publishing, but fewer experience success in accessing and 
controlling others’ information. But by overcoming the slight difficulty in cracking users’ 
password or other access-control measure, a unique pleasure is afforded to users who 
experience this victory. 


(xxii) Employment-related hacking 
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Although considerable hacker activities are in fact illegal, the successful hacker will 
usually be admired for his or her skills. At the same time, many hackers have been offered a 
well-paid job as a computer expert or even security manager. For example, Robert T. Morris, 
was one such. He created the Morris Worm in 1988, infecting about 6,000 computers and 
causing losses that ranged from 200 to 53,000 dollars each. At present, on his web site, he 
writes that: “I’m at the MIT Computer Science and Artificial Intelligence Laboratory...”7!” 

Banks (1997) related hacking to employment, which means that if the hacked system 
owners caught the hacker, they would employ the hacker exactly to protect the systems from 
other intruders. 

A high-profile employer can employ a hacker who has damaged thousands of computers 
and caused losses of millions of dollars, a natural analogy is that a better chance of 
employment should be hacked together through millions of computers, and billions of dollars 
of losses. Alternatively, less skilful hackers might try to damage some hundreds of computers 
and obtain an ordinary job offer. Criminal hackers are usually better off after their hacking 
activities have been made public. 

By saying this, we are not making complaint about a function of the judicial system that 
allows the rehabilitation of those who have committed offences in this way. In contrast to the 
ideal “general deterrence,’ the question arises as to whether such a practice serves a 
generally-motivating role. 

Employment-related hacking is not limited to getting employment opportunities through 
hacking. Hackers have sometimes hacked as a form of retribution when an employer has not 
provided an offer. Skeeve Stevens seriously damaged the AUSNET, an Internet company that 
refused to employ him. He had compromised 1,225 credit cards and displayed a message on 
the company's homepage in April 1995, saying, “AUSNET is a disgusting network ... and 


219 after 


should be shut down and sued by all their users!”?!® In addition, in DPP v. Lennon, 
being dismissed, the accused had downloaded a mail-bombing programme from the Internet 


and used it to automatically send about 5 million e-mails to the former employer’s e-mail 





7!” Retrieved 15 March 2007, from http://pdos.csail.mit.edu/~rtm/ 
218 Phrack Magazine, volume 8, number 53, 8 July 1998, article 14 of 15, OXd. 
*I9 Director of Public Prosecutions v Lennon [2006] EWHC 1201 (Admin) (11 May 2006). 
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servers. His purpose was to bring in the company into a “mess” and did not think his action 


was criminal. 


(xxiii) Hacking for the hacker community 

For those who regard themselves as hackers, “hacker” is a symbol, a label, a banner, a 
movement, a front, and a centripetal force, regardless of the fact that each hacker, particularly 
each of the malicious hackers behaves in a pattern that is not necessarily the same. Therefore, 
the hacker community is in reality a symbolic clan in which members “hack” in variant ways 
and for different ends. 

Regardless of the fact that the members of the hacker community are heterogeneous, 
cases where hackers have united to take actions against legal or administrative measures 
targeted at certain “members” of their “hacker community” are not rare. The mere name of 
“hacker” may serve to raise an emotive force capable of bringing all kinds of hackers together, 
including traditional hackers, and hackers who are regarded as cybercriminals. In fact, in such 
a case, their activities are unreasoning: on the one hand, the activists do not belong to a single 
group; on the other hand, their targets are far from being only the web sites of the 
law-enforcement agencies. Their good will is to maintain the image of a “hacker community” 
as a whole, to prove their power against traditional government and law enforcement, and to 
resist an outside invasion. 

Sub-culture was a term first used by A. K. Cohen in Delinquent Boys: the Culture of the 
Gang (1955) to denote a group or groups inside the host culture with different values from it, 
as evinced through their expression in deviant behaviour (Walsh 1983, p. 214). Zheng (2004) 
attribute this motive to impact of the internal communications of the cybercriminal 
sub-cultural group. As to the situation in traditional criminal sub-cultural groups, these 
communications produce coherence inside the group. However, the network exists as a means 
of communications and enhances the communicative pattern of cybercrime. Intrusion 
techniques and skills are the just contact-nodes for their members. 

(xxiv) Destroying evidence contained in information systems 

Information systems usually contain evidence for various kinds of cases, civil, criminal or 
administrative. The party for whom the evidence is unfavourable has a motive to destroy it, 
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before or during the search and seizure by law-enforcement agencies. In R. v. Anitta 
Debnath,””” after the police began to investigate her harassment of the victim, the perpetrator 
paid a group of computer hackers to assist her to hijack the victim’s e-mail, in order that the 
victim could no longer access the account. 

(xxv) Sexually motivated misuse of information systems 

Sex crimes cover a broad category of deviance. The most frequently prosecuted forms of 
sexually motivated misuse of information systems are the recording, depositing, transmitting, 


and trading of child pornography;*”" 


sexual harassment through communication by using 
information systems; and promotion of (illegal) prostitution with the assistance of information 
systems. 

(xxvi) Child abuse 

Children are vulnerable group of people in society. Although international consensus has 
been achieved and treaties have been implemented requiring governments to “take all 
appropriate...measures to protect the child from all forms of physical or mental violence, 
injury or abuse, neglect or negligent treatment, maltreatment or exploitation, including sexual 
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abuse...,” 


incidents, in which children are abused frequently happen. The abusers are 
increasingly using information systems to lure children to engage in sexual activity and 
spread child pornography. For example, in R. v. Kasam,’ the accused used his computer to 
collect hundreds of images and several video clips of child pornography (paragraph 2.5). In 


one compact disc were found 3,200 images of child pornography downloaded from the 


Internet (paragraph 2.4).°** Besides sexual motives, there may also be present violent abuse 





* [2005] EWCA Crim 3472, No. 200501008A7. 

*! See for example, United States v. Ziegler (No. 05-30177 D. C. No. CR-03-00008-RFC ORDER 
AND OPINION, 6 March 2007), in which the perpetrator used the company’s computer to view, 
deposit and exchange child pornography. 

*? UN Convention on the Rights of the Child (adopted and opened for signature, ratification and 
accession by General Assembly resolution 44/25 of 20 November 1989, entry into force 2 September 
1990), Article 19. 

3 9004 ONCJ 136 (CanLID), Docket: 10018867. 

*4 The court listed some of the depicted graphic scenes that are identified as child abuse: 

“ (a) A 6-month-old baby girl with an adult male penis having ejaculated onto the vaginal area of the 
child; 

(b) A blind-folded 4-year-old girl performing fellatio on an adult male penis; 

(c) An adult male performing anal intercourse on a 7-year-old girl; 

(d) A 5-year-old girl performing fellatio on an adult male; 

(e) An adult hand is fondling a7 to 8 year-old girl who is handcuffed. Several adult fingers are 
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of the child. These two aspects are closely connected with each other. In R. v. Sharpe, the 
court held that “the possession of child pornography and associated harms to children is the 
use of child pornography by paedophiles to groom children into committing sexual acts” 
(paragraph 205). 

(xxvii) Anti-deviance hacking 


In both cases of United States v. Jarrett?” 


and United States v. Steiger,-*° hackers 
reported the cases and provided critical evidence for the law-enforcement agencies. They have 
never appeared before the court or been prosecuted. In other cases, such hackers were sued. In 


a civil case, Fischer v. Mt. Olive Lutheran Church,””” 


other employees in the Church 
suspected Fischer, a Lutheran minister, of engaging in sexual misconduct. They hired a 
computer expert to guess the password of the Hotmail account that the minister was known to 
use frequently. As a result, they cracked the password, looked through and printed the 
minister’s messages, in some of which were included contents about sexual activity between 
the minister and other men.””® 

(xxviii) Comprehensive motives 

In some other cases, the offenders have multiple motives, interrelated or unrelated with 


each other. For example, in R. v. Geller,” 


the offender possessed 101 pornographic images, 
chatted with young girls of 13 or 14 years old in order to establish relationships (paragraph 5), 
obtained 400 credit cards and other personal information through hacking, accessed the 
Internet for 28 times without paying (paragraph 6), and engaged in activities that lead 


information systems to malfunction (paragraph 7). 


(xxix) Unclear motive 





inserted into her vagina and her rectum is penetrated with a long stick; 
(f) An 8-year-old girl is at a pinball machine. During the 6 minute video she is fondled by an adult 
female who undresses the young girl, fondles her and ultimately the adult female performs cunnilingus 
on the young girl on the pinball machine; 
(g) The same adult female takes the same 8-yar-old girl in the pinball video in another video and the 
young girl is guided by the adult female to perform fellatio on an adult male. The video is entitled 
R @ygold_the family; 
(h) Another video entitled family 10.jpg depicts a 6-year-old girl who is naked sitting on a toilet 
performing fellatio on an adult male.” See ibid., paragraph 2.6. 
* Fourth Circuit No. 02-4953, 3 June 2003. 
*° Eleventh Circuit No. 01-15788, 01-16100 and 01-16269, 14 January 2003. 
zs Western District of Wisconsin No. 01-C-0158-C, 28 March 2002. 

ibid. 
°° 2003 CanLII 31190 (ON S.C.), Docket: 493. 
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While many perpetrators act in a way to achieve something or destroy something, others 
act without reasonable reasons. In some cases, it is impossible to detect an impressive motive 
from the facts of the offence: the revelation of the abuse of information systems cannot lead to 
a clue for a useful identification of the state of mind. In State v. Moning, the accused used the 
computer terminal to obtain access to the database to run a query on the previous drug 
conviction of his acquaintance. After he printed a copy of the information, he handed the 
victim the printout. At this point, the victim became aware of the perpetrator’s behaviour and 
reported his unauthorized access.”*° 
(xxx) (Not motivated but) influenced by psychological depression 


In R. v. Taylor, 


the accused woman illegally accessed the account of a man through 
computer systems and issued an unauthorized passbook for the account, with which an 
unidentified man attempted to withdraw £25,000, succeeded in getting £500 in cash but failed 
to get £24,500 in cheques. The opinion of the doctors showed that the woman was diagnosed 
as HIV positive during her committing the offence and was in a state of "clinical depression" 
which affected her judgment about her behaviour and the likely result of her behaviour. 

Curiosity is an irresistible mental power, propelling people to know the unknown and to 
control the uncontrollable, or to destruct the constructed, and to deorganize the organized, 
whether in the macro or the micro dimensions. Information systems are a dimension which 
has developed partly under the dynamics of human curiosity and has been threatened partly 
by this force. 

Apart from the abundant findings identifying motives in this study, I found that for many 
hackers, instead of hacking for something, they have succeeded in hacking and then found 
something to obtain or destruct. The initial hacking was merely a random activity that 
accidentally succeeded in furthering additional actions. Successful hacking, it could be 
imagined, might lead to any kind of sabotage, destruction or vandalism, the obtaining of 
confidential or proprietary information, acquiring control over a system, and so on. Therefore, 
we can safely conclude that there are hackers who hack out of specific motives, and that there 


are also hackers who firstly hack and then find opportunities to reach specific goals. For 





*30 2002-Ohio-5097. 
*31 11998] EWCA Crim 1545 (12th May, 1998). 


hackers with specific purposes, the hacking process may be a sophisticated endeavour before 
they take hold of the compromised system, because they have to conquer the unknown 
continent of security. For hackers with less clear initial purposes without wanting to obtain 
something specific or destroy something specific, the hacking process may be more 
straightforward until the system is exploited, because they only harvest from a conquered land. 
These different hacking models imply that the goals can emerge before the beginning of the 
initial hacking or after the success of the initial hacking—in the latter case, the attempted 
hackers are likely to defend themselves by expressing the benign motive of wanting to face a 
technological challenge or a security loophole rather than by stating a malicious intent of 
economic espionage or sabotage. In this latter case, the motivation is that of a challenging 


adventure into the partially unknown. 


6.8 Conclusion 


Information systems store rich and colourful resources, attracting digital community 
constructors, conquerors, conspirators and criminals. With one-sixth of the population 
connected online, with a prolonged online time, and diversified online activities, it is natural 
that cybercriminals constitute a greater ratio among the Internet users, and that cybercrimes 
will constitute a greater proportion of the whole crimes. If the unbalanced demographic 
distribution of computer and Internet users exists within different age groups, the comparison 
of their online behaviour is a valuable indicator in finding the reasons for this. The key 
concern in this comparison is that of the role of juveniles and young adults. Empirical studies 
have disclosed that youths may have more chances to use computers and the Internet and are 
more likely to commit cybercrime and be victimized. The natural and social properties of 
different age groups have been shaped in different ways. Different have been their 
educational background, financial status, sense of responsibility, family structure, social 
interactions and interconnections, self-control, psychological make-up, and _ interest, 
knowledge, and skills. These distinctive characteristics determine that they are confronted 
with different chances and challenges in information systems, and in respect of gaining and 
losses in the online activities. As a result, young people are more likely to be involved in 
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online adventures, stalking or stalked, exploiting or exploited, hacking or hacked. 

The internal reasons why criminals are devoted to cybercrime are connected with the 
functioning of information systems. This shows that the novelty and mobility of information 
systems enable people from quite different contexts to find something useful, valuable and 
profitable. Psychological satisfaction, spiritual enjoyment, financial obtaining, winning fame, 
opportunity getting, and fortune seeking are all realizable through the use and misuse of 
information systems. The motivations of committing cybercrimes are diversified. This means 
that cybercrimes are profitable for whatever purposes the criminals are pursuing. 

To sum up, the criminals’ motives may be satisfied in part by her or his having 
committed a crime against the person and in part by his having committed a crime against 
property. And there may be motives that can be satisfied outside both these opportunities. 


Motives of likely offenders are different but barely novel (Grabosky 2000, pp. 2-3). 
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CHAPTER 7. CRITICAL FACTORS IN COMBATING CYBERCRIME 


7.1 Introduction 


Information systems have multiple vulnerabilities (Chapter 3), plays multiple roles in 
cybercrime (Chapter 4), while the cybercriminals are themselves have varied motivations 
(Chapter 6). This chapter will discuss critical factors in the fight against such offences. The 
core question I seek to answer the question of the ease ordinarily in finding cybercrime. By 
saying “find”, I cover a wide range of activities leading to punishment: detection, reporting, 
investigation, prosecution, proving and conviction. 

At present, the fight against cybercrime also necessitates better knowledge about the 
critical factors. For several decades, many commentators have written about the 
characteristics of cybercrime, and many aspects have been generalized in the light of the 
surveys, observation and thinking (Thompson 1989; Sieber 1998, etc.). 

The following chapter is designed to make a synchronic inquiry into the characteristics of 


cybercrime in comparison with traditional offences. 


7.2 The victims of cybercrime 


The perpetrator-victim relationship in cybercrime is developed through information 
systems in a process of human-machine-human interaction. The perpetrator fulfils the first 
half of the interaction and the victim is imposed into the second half of the interaction. That is 
to say, the victimization of victims of cybercrime also relates to information systems. Victims 
are also users whose information is deposited in or published through information systems, 


whose daily life or operation depends on the systems, or whose welfare is increased through 
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the systems. Like cybercriminals, they are also distributed over an unlimited area. 
addition, in cases such as virus attacks, multiple victims can be involved. Thousands or 
millions of users are also likely to be victimized in one case even. Individual users usually 
have a lower awareness of cybersecurity than corporate users, and invest less money and time 
in maintaining and protecting the systems and less on updating their anti-virus software. 
Although individual users are more vulnerable to potential threats, their losses are usually 
neglected and underreported. 

Computer networks are not so new, but the pervasive use of them is a recent 
development. The current generation of people accepts, and depends more on, information 
systems than previous generations. There exists a clear-cut information generation within the 
information society. Because more young people use the Internet than the elderly do, it is 
natural that these youths are more likely to be victimized in cybercrime. Thus to some extent 
cybercrimes are offences of youths against youths. We do not find a sharp reduction of 
computer use with the increase in the age of young users. Therefore, it is to be expected that 
with the increase in age of the Internet users, more victims will also be found in future among 
older users. 

Simultaneously, it is undeniable that with more and more organizations pursuing online 
businesses and other activities, the likelihood that these organizations will be victimized will 
also grow. In fact, the victims of the original offences against information and information 
systems were mainly organizations. In the future, they will still be vulnerable to inside and 
outside attacks. One advantage these organizations have for protecting their information and 
information systems is that they have a greater capacity than the individual users to afford the 


anti-virus, firewalls, other access-control mechanisms and for updating these mechanisms. 





°32 Ror example, in United States v. Magnuson (Fourth Circuit No. 964957, D. C. No. CR-96-186-A, 
24 June 1997), the accused used his home computer to attack one victim’s computer servers in seven 
states. Apart from unauthorized access to information systems, other crimes committed with the 
intervention of information systems can also involve globally distributed victims. For example, in 
Bohning v Government of the United States of America [2005] EWHC 2613, the accused exploited 
the telecommunications systems to contact young girls and arrange sexual relations with them. The 
police revealed from his laptop computer thousands of images of child and baby pornography. The 
e-mail and chat messages proved that he had transmitted pornographic material to young girls over the 
world and incited them to engage in sexual relations with him (paragraphs 2 and 3). 


205 


It is a trickier question when the online victims are more likely to be victimized in a 
“voluntary” or “active” manner. For example, the Nigerian 419 fraud victims may transfer a 
sum of money voluntarily to the perpetrators; victims of date rape may go to meet the 
potential criminals voluntarily; or users may voluntarily retrieve web pages that contain 
malicious codes, and so forth. Victims are also more likely to admit their “willingness” or 
“activeness” and less inclined to report the case. 

Actual victimization in cybercrime can be more complex through the extension of 
victimization. For example, the senders of e-mail messages have adopted clever tricks in 
soliciting recipients. Opening the messages and the attachments is the first goal of the senders. 
Generally, they use ambiguous and false sender and subject columns, but ensure that there are 
valid contents (except messages spreading viruses) to show their offers and set their traps. 

Unsolicited e-mail messages can have a broader influence on criminal phenomena, 
where the question is not only of victimization, but also one of conspiracy. Not only do e-mail 
communications become an offensive means by which the recipients are victimized, but these 
victims then serve as part of a conspiracy, for they are seduced to participate criminal 
operations. 

In the Internet environment, the most frequent victimization model begins from an 
exposing of victims to potential threats, which we can call the exposing-victimization model. 
With this model, the victim of unsolicited messages merely puts his/her e-mail address on the 
web pages, bulletin-board systems, uses it in the chat systems, or even simply transmits it 
through the Internet. The exposure is not necessarily a show-off. Rather, it is just a kind of 
presence on the Internet literally or digitally, something inevitable. Nevertheless, the 
exposing-victimization model at least implies that the senders of unsolicited messages could 
easily get the e-mail address in the same way as other Internet users do, without further efforts 
in collecting or harvesting these addresses. 

In other cases, the senders of messages have a search process, and follow the 
searching-victimization model. Due to the large quantity of web pages and other 
Internet-related contents, the direct artificial collection of multiple e-mail addresses becomes 
inefficient. The senders (here we also imply address providers) utilize specialized software to 
harvest e-mail addresses from the Internet. This collecting process becomes automatic and 
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efficient. The perpetrators have created the searching-victimization model in sending 
messages. Besides harvesting, they also use a dictionary attack and/or an automatic 
alphabetical permutation and combination to enumerate possible usernames in e-mail 
accounts. These methods can also be categorized into a searching process. For the senders, an 
e-mail account with a random word might not represent a specified person; but for the 
recipient, he/she is readily the victim of this unsolicited message with attachment. 

The victimization of recipients of unsolicited messages happens without the appearance 
of the recipients in their e-mail account. The victimization means that their e-mail accounts 
are being spammed, whether they open their accounts or not. Under current the legal 
framework, the receiving of unsolicited messages is sufficient to constitute a victimization of 
the behaviour to be imposed punishment. 

However, the victimization of unsolicited messages does not end at the initial 
victimization. The above-mentioned models could be called the first-level effects of 
unsolicited messages. Subsequently, the second-level effects are based on the initial 
victimization. There are possibly also two submodels: initial victimization-subsequent 
victimization model and initial victimization-conspiracy model. 

The initial victimization-subsequent victimization model happens when the messages 
include viruses, fraudulent sales of goods, or falsified financing and banking services. The 
first-level victimization is being spammed, while the second-level victimization is being 
attacked or swindled. 

Second-level victimization is not always fulfilled so simply. There is usually involved an 
initial victimization-exposing-searching-subsequent victimization process. In the case of the 
Nigerian 419 fraud, the recipients of the unsolicited messages were firstly victimized by 
receiving messages of this kind (being spammed). If they took a positive reaction to the 
messages, they were further exposing themselves to the senders. Upon receiving the 
recipients’ response, the senders further worked on the vulnerability of the recipients and the 
possibility of obtaining their property. The process of searching and exposing might be 
repeated a number of times. If the senders succeeded in obtaining the recipients’ property, the 


last stage of victimization would occur and the swindle would end. 
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The victimization-conspiracy model is realized when the messages include tax evasion 
services, sales of pirated software, sales of falsified documents, and so on. The recipients of 
such offers are firstly victimized by the unsolicited messages; and if they participating the 
illegal operations, they then become conspirators of the senders. 

Because the recipients of the unsolicited messages inducing conspiracy in an illegal 
operation would expect to benefit from the cooperation with the senders, the senders are more 
likely to send attractive messages of the above kind. In fact, in Nigerian fraud, the senders are 
usually personating politicians who want to transfer property (money, diamonds, and so on) to 
the bank accounts of the recipients. As a result, the “conspirators” of money laundering are 
finally to be victimized in the trickery. 

The phenomenon of unsolicited e-mail messages has further proved the low 
controllability or uncontrollability of the information-network environment. Any e-mail 
address is vulnerable to unsolicited messages that are sent to exposed accounts on the Internet 
or to a supposed account according to the dictionary. For the senders, both ways could be seen 
as a process of searching. For recipients, both ways could also be seen as a process of 
exposing. However, these searching and exposing processes have become more abundant and 
colourful in the Internet environment than during pre-Internet times. 

The mere browsing of the web pages is the easiest method to get an e-mail account, but it 
is less efficient. The sender can also purchase millions of addresses of different interests of 
users from the specific vendors. At an inexpensive price, the buyer can conveniently reach a 
majority of these addresses. Besides, address harvesting becomes automatized and prevalent 
with the help of powerful software. Anyone with a mild computer and Internet knowledge has 
the ability to master the uncomplicated skills and subsequently collect thousands or millions 
of addresses with specific software, which can be downloaded from the Internet free of charge 
or with a small sum of payment. 

The exposure of an e-mail account on the Internet is unavoidable, because the exposure 
is in so broad a sense that everything in the normal use of the account could be seen as an 
exposing process, including the sending and receiving of messages; publishing on web pages, 
chat rooms, and BBSes; providing account information to register in online services; or 
exposing nothing more than a coincidence with a phrase from a dictionary vocabulary; or 
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merely a permutation and composition of letters and numbers so that the senders are also 
fabricated. In fact, exposure of a single e-mail account will not be so risky without the 
harvesting mechanism, because it is an inefficient way of picking up a single e-mail account 
from the Internet. However, it cannot be ignored because the e-mail account vendors could 
collect and transfer it in a dynamic process, and finally form a growing account database to 
maintain their business. The harvesting software and a dictionary attack undoubtedly deepen 
the victimization of the e-mail account holders. 

In general, the exposed e-mail account might face double risks of being victimized: 
being picked up in a formal browsing of web pages and use of other Internet services; and 
being harvested and guessed. Compared with daily-used e-mail accounts without showing up 
on the web pages or other Internet services except merely sending and receiving messages, the 
published accounts are more likely to be victimized. Therefore, it seems more likely that it is 
the process of harvesting rather than that of guessing is the one that the vendors of the 
database of e-mail accounts and senders of unsolicited messages feed on. As a result, the 
double risks of exposed e-mail accounts are in fact unbalanced risks: the risk of being 
victimized by collectors and harvesters is far more serious than the threats of the guessers. 

Unsolicited messages provide e-mail users with several different choices, either 
legitimate or illegitimate, either to conspire or to be further victimized by attached viruses or 
pre-established fraud traps. The majority of messages granted recipients two alternatives: to 
conspire in tax evasion, or to be damaged by viruses. 

In the case of conspiracy in tax evasion, the senders always provide valid contact 
methods to induce the recipients to participate in illegitimate activities. These offers 
seemingly aim to establish a relationship between service provider and clients. Nevertheless, 
the true effect is that they form a conspiracy. The recipients have to react actively before they 
become conspirators in tax evasion schemes. The process might involve repeated exchange of 
e-mail after the initial unsolicited messages. Under these circumstances, the unsolicited 
messages might be transformed into literally valuable (but morally wrong and legally 
prohibited) information. Thus, the recipients might be less averse to such messages. Such 
messages become the means of communication for the trespassers and criminals, hence 
posing great threats to social-control attempts to frustrate illegal activities. 
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In the case of viruses attack, the senders exploited social engineering to induce recipients 
to open the messages and subsequently the attachments, by blurring the sender and subject 
columns and falsifying the message contents and name of the attached files. These messages 
do not require replies from the recipients before they cause damage. They are also dangerous 
for the recipients in the sense that they are harming the recipients’ hardware and software, 


wasting the labour force, and hindering the business. 


7.3 Time factors in cybercrime 


All offences happen in relation to a certain time. Information systems make a more 
efficient use of time, either in positive social actions or in negative social actions. A single 
cybercrime can be completed in a very short time, say, seconds or minutes. The simplest 
example is to modify or destruct data in a hard disk. The more complicated example is the 
possibility of transferring the U. K.’s total currency reserve in 15 minutes to another country 
(Kelly 2002). General cybercriminal offences can involve tremendous information 
transmission in a relevantly short period. For example, in R. v. Kirkwood,” the accused 
downloaded 934 computer games and uploaded 592 over a period of three months through his 
bulletin board, which had specialized in exchanging copyright games. 

However, preparation for some kinds of cybercrime may be time-consuming, usually 
taking several days, weeks or even months. It depends on the attacks projected, the 
complexity of the process, and the security technology of the targeted users. The more 
sophisticated the perpetration is, the more time is needed for preparation and processing. The 
more sophisticated the security measures are, the more time is needed for overcoming them. 

Many offences are committed in a particular natural time or social time. Natural time is 
the time-span depending on the natural cycle, for example, four seasons and 12 months of a 
year, seven days of a week, twenty-four hours of a day, day and night, etc. Social time is the 
time span depending on the social cycle, for example, work time and spare time, holidays, etc. 
Circumstances are particular time-spans accompanied by natural events, such as wind, snow, 


rain, etc., or social events, such as war, riot, strike, demonstration, etc. 





*33 19005] EWCA Crim 3534 (21 December 2005). 
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In the traditional crime of bank robbery, robbers have generally to act when the bank is 
open, when money is in the safe, when money is being transferred by special vehicles. It is 
not a prerequisite for cybercrime to depend so much on time. In principle, electronic cash can 
be “stolen or robbed” at any time, whether it is work time or not. 

Many traditional offences are environmentally or weather dependent. In the case of 
cybercrimes, the environment and weather become less important. For example, in traditional 
larceny, when a thief walks in rainy weather, the footprint may soon be eliminated by water, 
but the footprint may be left if it is in the snow; the wind may conceal the sound of a footstep, 
and it may be more difficult to see the thief in the dark than on a clear moonlight night. In the 
environment of cyberspace, the factor of weather is nearly irrelevant, that is, cybercrimes are 
an all-weather business. In whatever kind of weather, cybercriminals can sit at a computer and 
perpetrate whatever kind of activity without fear that victims or the third parties will discover 
him in person. 

Cybercrime can cross time-zones, so that the “time” in a day, measured by the criterion 
of law enforcement, is not so relevant in the offence. Traditional offences may be committed 
in different periods of the day, for example, stealing when it is dark, burglarizing when the 
house-owner is at work, etc. Online illegal obtaining of information and money may not be 
time-limited. However, due to strict supervision and the monitoring of online activities, the 
perpetrators may have to avoid the work time. 

Once successful, attacks may continue for a long time, for instance, for several weeks or 
for several months. In the case of pure illegal access and the obtaining of information from 
computers, the victim can hardly find the intrusion in the subsequent months. The intrusion 
may be repeated before the loopholes are fixed. In addition, influences of some kind of 
viruses on whole information systems may last for several years. Once created, viruses can 
never be annihilated and prevented from spreading. Although old viruses may become less 
harmful due to the use of anti-virus, the less protected computers can still be infected in 
subsequent years. Another example of continuing cybercrime is the Nigerian 419 fraud, which 
has been prevalent for several decades and is still a big threat to Internet users. 

Malicious programmes, frauds and some other cybercriminal tricks, once they have 
emerged, may be analogous to natural viruses or bacteria. They exist independently despite 
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people’s use of anti-viruses, which are like an immunity injection for human bodies. As 
viruses or bacteria may infect those for whom the injection has failed to take, the failure of 
anti-viruses may reveal the vulnerability of the systems. The attack happens wherever there is 


a security loophole. 


7.4 Spatial factors in cybercrime 


Like traditional crimes, cybercrimes are also more or less related to the factor of space. 
The possibility of the trans-territoriality of individual cases is high. 

The phenomenon of cybercrime is distributed everywhere. In some cases, offences are 
committed in such a way that the activities take place in a distributed manner. In R. v. 


Dooley,” 


the court found that such file sharing networks as KazaA could facilitate Internet 
users to share various kinds of files through changing computers connected to the Internet into 
servers that were accessible to other members, who then install the same software in their own 
computers, regardless of the location of the computers. 

The frequencies of these cases are different in various regions and countries. The 
objective description of the global situation proves that though cybercrime is characterized by 
its universality, it is undeniable that cybercrime cases are rare in some countries. For example 
in Finland, according to Miettinen (1996), from 1980 to the time his study was published, the 
officially-investigated hacking cases were only 10-15 in number. Although hacking cases 
involving one or two million dollars of losses also existed, the frequency and severity of the 
cases were less comparable with cases that happened in countries such as the U. S. In West 
European countries, cybercrime is also less serious than in the East European transition 
countries. 

Definitely, cybercrimes also leave some kind of traces in digital form and can be used as 
clues for a traceback. However, we find that cybercriminals are less anxious about traces of 
this kind than about the risks of being exposed in person. The straightforward example is a 


person who will dare to intrude into a computer in a neighbouring room through the LAN, but 





34 19005] EWCA Crim 3093 (1 November 2005). 
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not dare to enter the neighbouring room without permission to gaze at the computer screen, 
not to mention operating that computer without permission. If a remote intrusion is in 
question, such as an unauthorized access from Europe to a computer in the U. S., the user has 
hardly any fear of being exposed or caught. Therefore, trans-national cybercriminals are less 


discouraged from engaging in these activities by the deterrence of law enforcement. 


7.5 The technological nature of cybercrime 


In the new millennium, the information economy is a popular expression used by 
entrepreneurs, while cybercrime is a popular expression used about the criminals. Many 
scholars have recognized the intensified technological involvement in cybercrime (For 
example Conly 1991; Clark 1996; Stephenson 2000; Mandia and Prosises 2003; Mohay and 
co-workers 2003; Vacca 2005; Johnson 2006). In all cybercrimes, computers and the Internet 
are used as tools. Even if what is in question is an attack where computers or networks, or 
information is targeted, the necessary tools are still computers and the Internet, without which 
the offence may fall into the traditional offences, and cannot be classified as cybercrimes. 
However, technological involvement is a necessary but not sufficient condition. Illegally 
assembling computers with market traded computer parts can hardly be a cybercrime. Yet, 
illegally manufacturing computer chips can be. Definitely, if traditional forces and 
technological means are combined in a certain offence, both cybercrime and traditional 
offence can run together. For example, a bank employee may be abducted and forced to reveal 
the IDs and passwords. The combined use of these means is not rare in practice. 

Certainly, the computer may not be the only tool in a certain cybercrime. For example, 
wireless networks and mobile networks provide particularly complicated ways of making a 
command to launch an attack. 

The extent of technological involvement is different in various cybercrimes, from simply 
cracking a less complex password to controlling thousands of bots all over the world to 
launch distributed denial of service attacks. The situation is, regardless of whether 
straightforward or sophisticated techniques or instruments are used in illegal activities, the 
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damage can always be substantial. Although the overall losses of computer misuse are 
difficult to calculate, the losses of a single victim may be overwhelming, particularly when an 
individual does not keep separate back-ups. An attack, even by a straightforward technique, 
can also result in serious consequences in considering the various detailed situations of 
victims. 

In cybercrimes, in addition to the possibility of manoeuvring multiple computers, the 
available tools, means and functions are also numerous. In fact, much malicious software can 
be downloaded from the Internet. Many hacking techniques can be learned online. There are 


opportunities to purchase a malicious programme from the Internet as well. 


7.6 The complexity of cybercriminal activities 


The Internet allows for the communicating and planning of criminal activities in more 


different ways than in even the recent past.” 


The Internet also accommodates exchange of 
cybercrime methods free of charge, or provides sales of malicious programmes (Behar 1997, 
p. 66). Advanced criminal mechanisms enable the attackers to avoid prosecution or 
complicate investigations in a straightforward manner (Sofaer and co-workers 2000). This 
further enhances their universality and concealment, making law enforcement more and more 
impossible. 

Furthermore, imagine the time when there were only 20,000 computers connected to the 
Internet globally, Stoll (1988) described the process to trace the break-ins by a persistent 
computer intruder attacking Lawrence Berkeley Laboratory (LBL). The traceback took nearly 
a year of work apart from requiring the cooperation of many organizations including the U. S. 


FBI and the German Federal Criminal Police Office, during which the intruders continued 


their activities against 450 computers and successfully gained access to more than thirty 





*%° Lenk (1997, pp. 126-135). The evolution of the attack mechanism in 1982 is password guessing, 
1984 Self-replicating code, 1985 password cracking, 1986 Exploiting known vulnerabilities, 1988 
Disabling audit mechanisms, 1989 Use of back doors in programmes, 1990 Hijacking sessions, 1991 
Sweepers, 1992 Packet sniffers, 1993 Stealth diagnostics, 1994 Packet spoofing, 1995 Graphic user 
interfaces for attack tools, 1996 Automated probes and scans, 1997 Denial of service, 1998 Web 
attacks, 1999 Macro viruses, and 2000 distributed attacks. See Longstaff (1999, 231-255). 
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(Stoll 1988, pp. 484-497). Even then because of the complexity of the cyber environment, 
investigation of cybercrime cases was extremely time-consuming. Since then, for example, 
the case of Sean Galvez shows a worsening of the situation. He obtained unauthorized access 
to 40 eBay customer accounts and incurred up to 32,000 dollars of fraudulent charges in 2003 


could only be indicted in 2006.”*° 


In comparison with cases affecting thousands or millions 
of computers, the difficulties in investigating these relatively trivial cases poses the question 
of how the prosecution of a major case is possible. 

Johnson (2006, p. 6) has discussed a digital forensic evidence on both national and 
international levels, the challenge posed by offences of online pornography, encrypted illegal 
materials, cyber terrorism, cybercrimes against children, and the exploitation of computer 
viruses in extortion schemes. He found that the process of searching digital documents was 
extraordinarily difficult, due to the capacity of rapid transmission, storage in remote 
machines, encryption, or the use of other concealment methods. In 2002 BCSC 524,°°’ the 
Supreme Court of British Columbia found that 102 gigabytes of data had been recovered 
through the forensic imaging of computer hard drives, which meant that the printouts of such 
a volume of data could fill a 12,500 foot high stack of paper. As a result, the work in 
reviewing the data was time-consuming, and required co-operation from authorities in the 


United States, Singapore, and Great Britain (paragraph 12). In R. v. Harlos,”** 


the police 
seized from the offender six hard drives containing storage of 920 gigabytes of data, mostly 
child pornography: totally 3162 photographic images, and 763 videos of child pornography 
(paragraph 15). 

The Internet being a vulnerable infrastructure, all the individual and institutional Internet 
users are exposed to similar threats of becoming victims of cybercrime. In practice, as I 
pointed out in Section 7.5, all cybercrimes are more or less committed through technological 


means. Malicious programmes and anti-viruses are “weapons” in information systems. 


Malicious programmes are usually designed and disseminated without rewards, being 





*°6 The Office of the Massachusetts Attorney General, Boston Teen Indicted on Charges He Hacked 


into eBay Accounts and Stole Victims’ Identities, 5 January 2006. Retrieved 15 March 2007, from 
http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1576 

°37 Full citation: In the Matter of s. 490(3) of the Criminal Code and In the Matter of Edmond Edward 
Edmond et al. 2002 BCSC 524. 

*8 2005 ABPC 118. 
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uncommercialized and unsystematic. Anti-viruses are designed and sold as commodities. 
Both of them are products of labour, but with a different use: the former being offensive 
weapons, the latter being defensive weapons. 

McAfee (2005, pp. 2-13) has summarized tools and their functions in cybercrime. These 
tools are used not only to access confidential information, but also to conceal traces, and 
prevent normal functioning. Most of these tools can be downloaded from the Internet free of 
charge or at inexpensive prices. It is especially easy to search and obtain such a programme 
from the Internet as freeware or shareware using a search engine. Many tutorials are 
furthermore prepared for non-professionals to study them systematically from primary level. 

Compared with malicious programmes, the sources of preventive programmes are fewer 
in number and more expensive on the market. To search such a programme on the Internet 
turns out to be more difficult than obtaining are free of charge. The usual results are that the 
links are redirected to a trial version with limited functions or a full version with payment 
instructions. The incentives for not revealing such programmes are profits, compared with the 
incentives for causing broader and larger damage and gaining fame by the revelation of 
malicious programmes. These cases are akin to cases of copyrights and their infringement. 

Both factors, discussed in Sections 7.5 and 7.6, can be simplified because of the 
abundant opportunities for abuse of information systems. In fact, many practical cases have 
shown that rather than depending on sophisticated technologies and overcoming complicated 
processes, the perpetrators simply exploit the opportunities at hand. In Yearly v. Crown 
Prosecution Service,” the accused, a computer engineer, accessed without authorization a 
security document in the computer he worked on for a store and he then put it on the Internet. 
Although his computer knowledge was a condition of his employment, nevertheless, in 
obtaining the confidential file, opportunity was the most significant element rather than his 
knowledge and skills. With a malicious intent, everyone with the least knowledge of 
computer systems but are given the same opportunity would be able to do the same. An 
offence primarily engenders by opportunity, should not be measured by the sophistication of 


techniques and the complexity of the processes involved. 





°° [1997] EWHC Admin 308 (21st March, 1997). 
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7.7 The costs of cybercrime 


Although much literature dealing with “the costs of crime” has been written by 
economists, statisticians, jurists, and sociologists, the practical estimate of the costs of one 
single offence or the whole criminal phenomenon has proved impossible to work out. 
However, the costs of crime can roughly include direct and indirect costs, physical and 
psychological costs, and both the costs before the incident and after the incident. There have 
been efforts to quantify the losses of computer crime, for example Wasik (1991, pp. 34-41), 
or measuring the size of the problem, for example, Grabosky (2000, pp. 8-9). In respect of 
the losses caused by cybercrime, it is overall so expensive that no other criminal activity can 
compare with it. Sometimes, the “losses” of one offence may not necessarily be a pure social 
cost. Some of the wealth may be transferred from the victim to the offender. Generally, the 
more the offender obtains physically, the more the victim loses. In some other cases where 
the offender does not acquire substantial property, mere “losses” of a victim’s money or 
health satisfy the offender’s psychological needs. In both cases, the offender has expected 
benefits. Again, the more the victim loses or the more seriously the victim is hurt, the more 
the offender is satisfied psychologically (see generally Section 6.7). 

Monetary losses caused by crimes, particularly by cybercrimes, are thus difficult to 
calculate. Direct measurements being unavailable, only some important references can be 
used to indicate the extent of these losses. 

As a first reference, because individuals and businesses have to invest heavily in 
information security and have to change their behaviour to reduce the probability of being 
victimized (Gray 1979, p. 13), spending on cybersecurity services and products constitutes, 
for example, a significant part of the losses brought about by the threats of cybercrime. 
Without cybercrime, The ICT industries do not require to invest specifically in security 
protection. In the meanwhile, investment on security protection does not increase 
productivity. Presently, this expense becomes a necessary part of their ordinary inputs. 

The second reference is that losses in individual cases provide a more direct impression. 
Daler and co-workers (1989, p. 22) reported that the average loss obtaining in a cybercrime 
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case is around 400,000 dollars, as compared with the average take in an old-fashioned bank 
robbery of 6,000 dollars. The CCIPS web site publishes a list of cybercrime cases prosecuted 
in the U. S. in recent years. It is obvious that once the cases involve losses, the amount will 
be large (definitely, there are also cases not involving any monetary loss) (CCIPS 2006). 
Calculating the 115 cases prosecuted during March 1998 through to May 2006, the lowest 
single loss was 5,000 dollars, and the highest was 80 million dollars. The average loss in 
these cases was 1.27 million dollars (Li 2006). The losses involved in single cases differ from 
each other. The media, for example, reported that the infamous Love Bug of 2000, for 
example, infected at least 45 million computers and caused losses of millions of dollars.*“° 

The third reference can be obtained from various cybercrime surveys, each of which 
provides some information about the situation of the respondents. For example, the annually 
operated CSI (2005) survey on 700 US computer security practitioners in corporations, 
government agencies, financial institutions, medical institutions and universities, found that 
the reported average financial losses resulting from security breaches are 204,000 dollars per 
respondent. The total losses for 639 survey respondents came to exactly over 130 million 
dollars (CSI 2005). 

Accurately calculating the losses of cybercriminal offences is a task of some 
sophistication (UNCJIN 1999, Paragraph 27). Cybercrime is a comparatively easy business, 
but the deterrence, in its turn, is far from easy. Notwithstanding the fact that the whole world 
is actively combating cybercrime, the number of cybercrimes is still on the rise and their 
costs are increasing exponentially (CSI 2000). In 2002, the estimation of cybercrime losses 
averaged about 50 billion dollars annually (Hale 2002, pp. 5-6). In 2005, another estimation 
of losses reached 400 billion dollars (McAfee 2005, p. 5). The meaning of this number from 
the year 2005 may be well understood if we compare it with the 9/11 attacks that cost New 
York City at least 17 billion dollars. Further, it may be pointed out that the forecast for the 
effect of terrorism in general, is a reduction of 0.25 percent of the world economy’s growth 
rate -an impact of around 75 billion dollars (Davidson 2003). If such comparisons are used in 


measurements, worldwide overall cybercrimes is bleeding the economy of nearly 24 times 





ed BBC News, 4 May 2000. Retrieved 15 March 2007, from 
http://news.bbc.co.uk/hi/english/uk/newsid_736000/736570.stm 
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the sum of the 9/11 attack losses. In addition, companies are investing heavily in a variety of 
security technologies and insurance (Sofaer and Goodman 2001, p. 5). This is not unrealistic, 
if we recall that the International Monetary Fund June 2002 Global Financial Stability Report 
reflects, in a conservative estimate, the total insured losses for 9/11 of around 44 billion 
dollars (IMF 2002, p. 38). 

Besides the direct cost, Loeb has estimated that breaches of confidence can make 
companies lose more than 5 percent of their market value on average (Loeb 2004, p. 69). A 
survey by Telang and Wattal (2005) analysed the economic impact on 18 software suppliers 
and found that announcing vulnerability in one of these companies’ products caused a 0.6 
percent fall in its stock price, or an 860 million dollars fall in the company’s value (Telang 
and Wattal 2005, p. 3). 

Immeasurable are the losses of confidential information on state security, governmental 


reputation and diplomatic relationships. In McKinnon v USA & Anor,~’ 


the accused 
obtained control over dozens of computers belonging to and used by the U. S. Government, 
through which he could gain further control over hundreds of thousands of computers. 
Among them were 53 Army computers, 26 Navy computers, 16 NASA computers, and | 


Department of Defense computer.” 


Upon gaining access, the accused deleted critical 
operating systems from some computers, and copied files into his own computer from some 
other, including passwords, causing a total of 700,000 dollars of loss.”4? Given there was no 
further loss from his unauthorized access, the U. S. government has been striving to extradite 
him for prosecution. The visible and invisible losses made the government unwilling to give 
up the lengthy proceedings in the U. K., even though his conviction can provide no more 
compensation for the losses. 

In general, what makes the situation worse is not only that cybercrime is expensive, but 


4 


also that the costs are rapidly increasing. Only if it reaches saturation point,’ can the speed 





*41 [2007] EWHC 762 (Admin) (03 April 2007) 

ibid., paragraph 3. 

ibid., paragraphs 4 and 6. 

The original meaning of “saturation point” indicates a situation in which no more people or things 
can be added because there are already too many. Summers (2003), p. 1457. In research on criminal 
phenomena, it is also possible to suppose a saturation point where a sharp increase or sharp decrease in 
the number of crimes no longer occurs. Criminal phenomena can be maintained in a relative stable 
situation if the forces of crime and deterrence are balanceable in a short term or a long term. Saturation 
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of development become stable or commence to decrease. Furthermore, in the “competition” 
between the criminals and law enforcement, it is obvious that the former are more efficient in 
obtaining new technologies than the latter (Centre for Strategic and International Studies 
1998). 

The above analysis concentrates on the general impact of cybercrime on society. A 
special issue requiring clarification is that of the impact of cybercrime on individual victims, 
comparing a pensioner and a millionaire both of whom are undergoing 100 euros of losses in 
a cash card fraud. The direct suffering of the former is definitely far more severe than that of 
the latter. Criminal justice, equally protecting the poor and the wealthy, may reasonably be 
considered inefficient in equally treating every euro value of property belonging to every 
person. In addition, traditional crime can be lethal to natural persons, but has a less severe 
threat to legal persons in general. However, more and more businesses have considered 
cybercrime more likely to happen,” and more harmful than physical crimes.”*° This is a 
natural result of increasing importance of information for enterprises and increasing threats of 
cybercrime to information security. 

The following sections (7.8, 7.9 and 7.10) will deal with the issue of “the dark figure” of 
cybercrime. Traditionally, the dark figure has been formed as a consequence of the criminals’ 
self-concealment, family relationship and even from community reasons (Radzinowicz and 
King 1977, pp. 31-34). With regard to cybercrime, besides conventional concealment 
methods, information systems constitute another significant mask for perpetrators, a shelter 


for the criminal, and a tool for hiding traces. 





in the short term is always possible. The shorter the term, the more stable the development tendency. 
Nevertheless, sometimes long-term saturation is also possible, because in the long term, the 
development tendency line appears flatter than in the short term. What is difficult is to define short 
term and long term in research on crime. Traditional crime might be placed in a term of a century or 
millennium, while the development process of new crime should be measured in decades, years, or 
months. The dissertation does not limit what kind of term is suitable for cybercrime. 

> IBM. IBM Survey: Consumers Think Cybercrime Now Three Times More Likely than Physical 
crime: Changing Nature of Crime Leads to Significant Behaviour-Changes, 25 January 2006. 
Retrieved 15 March 2007, from http://www-03.ibm.com/press/us/en/pressrelease/19154.wss 

46 IBM. U. S. Businesses: Cost of Cybercrime Overtakes Physical crime: IBM Survey Shows 
Changing Nature of Crime Causes Organizations to Look Inside, 14 March 2006. Retrieved 15 March 
2007, from http://www-03.ibm.com/press/us/en/pressrelease/19367.wss 
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7.8 The anonymity of the perpetrators of cybercrime 


Communicating anonymously is a great characteristic of the Internet environment. In 
using the Internet, anonymity can be kept from the beginning to the end. First, anonymous 
access to the Internet poses the most serious threat. In many countries, one of the most 
important forms of using the Internet is realized through cyber cafés or libraries, where 
anonymous users can access many of the online services. Definitely, there exist different 
situations in different countries. Compared with Finland where there are few cyber cafés in 
towns and cities, the cyber cafés in China have become the “third space” of school-aged 
juveniles besides home and school. The facilities and services in academic or public libraries 
are far less convenient for users than those in cyber cafés managed by private firms. An 
increasing number of hacking cases involving the Internet or Internet users are committed or 
conspired in cyber cafés. 

Secondly, anonymous subscription to the Internet services raises the difficulty of 
identifying users. The personal information provided for the registration of an e-mail account, 
the name and address of e-mail messages, and the authors’ information in Usenet, etc., can all 
be fabricated. Keeping identity anonymous is favourable for the protection of users from 
victimization, but it also favours the hiding of perpetrators from being traced. 

Thirdly, users can keep their identity anonymous in the process of online 
communications. There are also mechanisms for keeping complete anonymity by which one 
user can send messages to other users, and then the messages are transmitted to the final 
target, such as newsgroup, e-mail list, or a single e-mail account. What makes it more 
complex is that in the mechanisms the intermediary can only be a programme and may be in 
another jurisdiction (Kingdon 1994). This also reminds us that there exists the possibility of 
numerous transmitting points, by which messages are transmitted from one terminal to the 
next terminal, from that to the next in line, and so on, until the message reached the 


destination. The whole process is: 


From the sender —~T1—T2—...—Tn-2—>Tn-1—>Tn. 
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Figure 6 The Transmitting Process 
Tracing this transmitting process is theoretically possible. During the tracing process, 
the investigation is exactly the contrary to the process of transmission. Each time, the 


investigator can trace back one point. The whole process 1s: 


From Tn—Tn-1—Tn-2—...—T2—-T1—>the sender. 
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Figure 7 The Tracing Process 


It is likely that all points are identifiable. Nevertheless, as long as there is an unexpected 
element at any point, the tracing chain can be disrupted without reaching the original source. 
According to National Police Agency of Japan (1998), the possible examples include that the 
victim has no record of the Internet Protocol (IP) address; ISPs do not keep suitable records; 
hackers alter the logs; or some points are located in countries that have not criminalized 
hacking. As Koch (Inter@ctive Week, 10 July 2000) has pointed out, theories about detection 
remain theories, and they are too new to be tested in practice. Even if all the work of 
traceback is fulfilled, the actual value of this work may be discounted in a judicial process 
because of different locations and thus diversified jurisdictions. 

Fourthly, the specific service or software can play further roles in hiding users. 
Cybercriminals usually establish anonymizers, which are systems particularly designed to 
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invalidate technical identification of the source of communications.”’ In fact, this kind of 


service or software can also be conveniently obtained free of charge or at an inexpensive 





7” See Belgium’s answer to the “Questionnaire 5: Have you received any reports from your 
law-enforcement authorities that have indicated an obstruction of their work due to the non-existence 
of appropriate legal instruments concerning traffic data retention?” in Council of the European Union, 
Council doc. 11490/1/02 CRIMORG 67 TELECOM 4 REV 1, Brussels, 20 November 2002. 
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price from the Internet. Everyone who is online can get access to these tools and services. 
Such software is likely to be replicated and spread unlimitedly, creating a bigger population 
of hidden users who potentially threaten the security of information systems. 

Although the anonymity of cybercriminals poses a series of questions, it is still the core 
of the “perfect environment” for the criminals;”"* yet it is at the same time welcomed by 
Internet users. People are constantly concerned that without online anonymity, it could be 
impossible to guarantee fundamental rights (COM(2000) 890 final, p. 20; National Police 
Agency of Japan 1998). It is not strange that the European Union Data Protection Working 
Party’s Recommendation recognized that online anonymity brings about a dilemma for 
governments and international organizations:*” in particular, in maintaining human rights to 
privacy and freedom of expression, and combating cybercrimes (COM(2000) 890 final, p. 
20). Philip (2002) warned that anonymity can provide users with “the courage to do the 


outrageous and sometimes even resort to illegal activities.” 


7.9 Hidden victims: underreporting and unwilling to report 


Cybercriminals have a greater advantage than most of the traditional criminals in respect 
of the low probability of arrest and conviction. Many scholars have mentioned this 
characteristic of cybercrime, as noted in the literature cited in this section. Hatcher and 
co-workers (1997, pp. 397, 399.) have pointed out that many cybercrimes are not reported. 
The term “dark figure”, used by criminologists to refer to unreported or unrecorded crime,”” 
has been applied to denote undiscovered cybercrimes (UNCJIN 1999, Paragraph 30). Many 


intrusions are not detected for a variety of reasons (COM (2000) 890 final, p. 11). 





*48 Levinson (2002), p. 455, saying that anonymity is exploited by perpetrators of old crimes such as 
fraud, pornography, gambling, stalking and identity theft, or new crimes such as unauthorized access, 
denial of service, and malicious programmes, pp. 455-458. 

*” The Article 29 Data Protection Working Party (2001). 

*°0 As Radzinowicz and King (1977) pointed out that, “The recorded figures of crime are huge but the 
reality behind them everywhere looms far larger. The sinister word dunkelziffer (dark figure) was 
coined at the turn of the century to express this hidden reality.” See Radzinowicz and King (1977), p. 
42. 
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Cybercrimes can well be described as hidden crimes.”>! 

At the same time, victims of cybercrime are willing to be hidden victims (Cook 1997, p. 
127). The usual “motives for silence” concerning victimization may fall into one of the 
following categories: 1. The idea that the victimization is not worth the mobilization of 
justice; 2. Involvement; 3. Pressures of fear; 4. The uneasy accessibility of police and court; 
and 5. The ignorance of events by the police (Radzinowicz and King 1977, pp. 38-40). 

In sketching the victim decision-making, Greenberg and Ruback (1985) have established 
a three-stage model: the victim judges whether the event is a crime, evaluates its seriousness 
and decides what to do (Greenberg and Ruback 1985, as cited by Feldman 1993, p. 26). 
Before these stages, one stage that is more important should be added, that is, whether the 
victim knows the event. If this is the case, the reporting of cybercrime may remain at a lower 
level, because cybercrime is invisible and difficult to discover; it is more difficult for the 
victim to judge whether the event is a crime and to estimate the losses; and the victim has less 
knowledge about whether there is an agency to report the crime. The limited reporting of the 
cybercrime has been noted more than 20 years ago by Parker and Nycum (1984, p. 313), who 
studied the invisibility of computer crime. At present, the Internet’s virtual environment has 
made the situation still worse. Fortunate progress in proving material evidences in traditional 
crimes was made in late 1980s when DNA tests were first introduced (Levinson 2002, p. 537). 
However, digital evidence in computer crimes is immune from such high-technological 
testing measures. The invisibility of cybercrimes is based on several factors, either 
technological or human (UNCJIN 1999, Paragraphs 30, 31). Sometimes, the simple reason is 
that the victims are not willing to report, or even do not know where to report the case 
(Salgado 2001). The documented reasons for the reluctance to take legal actions are mainly 
fear of adverse publicity, public embarrassment or loss of goodwill, loss of investor or public 
confidence, resulting economic consequences such as the panic effect that this information 
would create on their stock prices (See Carter 1995, p. 21; Roush 1995, pp. 32, 34; Gelbstein 
and Kamal 2002, p. 2; McKenna 2003a), and exposure to future attacks (COM (2000) 890 





*! Cook (1997) used “hidden crimes” to denote under-reported or under-recorded crimes such as 
domestic violence, sexual assault, and racial harassment (p. 55-58). He also used “hidden victims” to 
denote the victims of the “hidden crimes” (p. 127). 
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final, p. 11). The UN suggested that these factors have a significant impact on the detection 
of cybercrime (UNCJIN 1999, Paragraph 31). 

Yet there are other reasons for the victim to keep silence. While many people are active 
in maintaining their interests and rights, some people view victimization as their own failure 
in life and career and are not willing to reveal the fact of their failure to any individuals and 
institutions, so as not to make public their own weakness. 

Therefore, it is inevitable that the rate of unknown instances of cybercrimes has 
increased as a result. The CSI (2005, p. 20) summarized the reasons why the U. S. 
organizations did not report intrusions to law-enforcement agencies in 2005, including 
unawareness of law-enforcement interest, a civil remedy seeming the best course, computer 
would use to their advantage, and negative publicity would hurt the image of their stock. This 
survey has indicated the percentages of respondents identifying each stated reason as being 
very important in their decision not to report computer intrusion. At the same time, it is worth 


noting that the reasons are subject to changes in each annual survey. 


7.10 The concealment of cybercrime traces 


Mitchell and Banker (1997, pp. 707-711) have concluded that there are four 
characteristics in which cybercrimes are different from traditional crimes, that is to say, 
difficulties in detection, limited reporting, jurisdictional complexities, and resource constraint. 
All these four aspects fall under the broad characteristic of concealment. The concealment of 
cybercrimes has been brought about by other technological and human factors (Conly 1991; 
Clark 1996; Stephenson 2000; Mandia and Prosises 2003; Mohay and co-workers 2003; 
Vacca 2005; Johnson 2006). 

Most of traditional offences are highly visible due to apparent depredations, presence of 
witnesses, and so on. There are also traditional crimes that occur in private places and 
become less visible (Walsh 1983, p. 236). Unlike traditional threats where criminals are 
physically present at the crime scene, cybercriminals are usually not present at the crime 
scene thus making apprehension difficult (Speer 2000, p. 260). In information systems, 
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executing a command to delete files does not mean that the files are permanently deleted. 
What happens is merely that files are hidden due to a change in file names so that the files 
can be recovered,”” except when a secure-eraser programme is in use.”° Skilful criminals 
can disable this kind of security mechanism, and conceal the data that might possible be 
taken as evidence in prosecution. 

Technological advances have both a positive impact on businesses and a negative impact 
on law enforcement (Institute for Security Technology Studies 2002). For example, in the 
DrinkOrDie case, the online software piracy group concealed its actions by various security 
measures: exchanging e-mails via private mail server using encryption; using a nickname to 
identify members, and communicating about group business only in closed, invite-only IRC 
channels; the FTP sites, where tens of thousands of pirated software, game, movie, and music 
titles were deposited, were secured by particular authentication mechanisms (U. S. 
Department of Justice, Press release, 17 May 2002). On the other hand, the available 
technological solutions have not completely met the requirement of data collection, log 
analysis, and Internet protocol tracing (American Society for Industrial Security 2004, p. 40). 
There is also the necessity for law-enforcement agencies to recruit personnel with “electrical 
engineering and computer-science backgrounds” (Fields 2004, p. B1); 

Inevitably, critics point out that cyber police have extra incentives than combating 
cybercrime, for example, asking for more money, more wiretap, bugs in computers and sell 
phones, weak encryption and permission to implement security technology, without more 
arrest following (Koch Inter@ctive Week, 10 July 2000). 

Concealment of crimes has important economic effects. Stanley (1995, p. 2) stated that 
concealment of crime can decrease the incentives not to perpetrate, and increase the costs of 


law enforcement. Concealment of cybercrime demonstrates the low probability of 





**? In United States v. Angevine (Tenth Circuit No. 01-6097, D. C. No. 00-CR-106-M, 22 February 
2002), ’the computer expert used special technology to retrieve the data that had remained latent in the 
computer’s memory,” though the accused had attempted to delete the relevant files. In United States v. 
Upham (First Circuit No. 98-1121, 12 February 1999), the investigator used the “undelete” function of 
a programme to recover deleted files from the deposit media, as primary evidence in conviction. In 
Robertson v. Her Majesty's Advocate ([2004] ScotHC 11 (17 February 2004)), the police recovered 
347 deleted images from the unallocated space, and 878 images and 45 movies from deleted zip file 
within the disc. 

53 See for example, International Airport Centres, L. L. C., et al v. Jacob Citrin (Seventh Circuit No. 
05-1522, 24 October 2005), p. 2. 
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punishment. In the U. S., only one in 100 cases was detected, one in 8 prosecuted, while only 
one in 33 prosecuted cybercrimes resulted in a prison sentence. That is to say, the likelihood 
that a cybercriminal would be put into prison was a one in 26,400 chance (Daler and 
co-workers 1989, p. 22), as compared with the likelihood of imprisonment in traditional bank 
robbery a one in three chance (ibid.). Law-enforcement agencies found that a majority of 
cybercrimes never reached the criminal-justice system. Even in the relatively few cases 
where a crime was reported, most often the criminal's identity was never discovered.” As a 
consequence, as Radzinowicz and King (1977, p. 67) pointed out, “The calculation of chance 
is as applicable to the commission of crime as to many other activities.” Given other factors 
constant, if cybercrime is more concealed than other offences, the potential perpetrators are 
more motivated to take illegal actions on the Internet, and thus more offenders of traditional 


crime will be prepared to migrate to cyberspace. 


7.11 The trans-territoriality of cybercrime coverage 


Free flow of information from one country to another is a goal of information 


°56 The trans-border information flux is 


systems, >> but trans-border flow is not free. 
accompanied by risks of crime of a similar nature. In any country, the court must have 
jurisdiction over the person or the subject-matter of a lawsuit. This works well with the 
current set-up of law-enforcement agencies that are territorial and are operating in different 
villages, towns, districts, cities, counties, states or provinces, or national boundaries. 


Nevertheless, unauthorized access to information systems can be accomplished from virtually 


anywhere on the networks,’ because the communications capability of cyberspace allows 





254 Phrack magazine, Identifying Net Criminals Difficult, volume 18, number 53, 8 July 1998, article 


14, OX1. Retrieved 15 March 2007, from http://www.phrack.org/phrack/53/P53-14 

*° Directive 95/46/EC, Preamble (3); UN A/RES/51/162; Council of Europe Convention for the 
Protection of Individuals with Regard to Automatic Processing of Personal Data, Article 12. 

*°6 The Convention mentioned above, Article 12 provides the limit on trans-border transfer of data. 

°°7 See cases such as United States v. Tenebaum Usrael), 18 March, 1998, involving an Israeli hacking 
United States military computers; United States v. Gorshkov (W.D. Wash) 4 October 2002, Russian 
hacker; United States v. McKinnon I (E.D. Va.) and If (D. N.J.) 12 November 2002, British National 
Hacked into the U. S. Military Networks; United States v. Zezev (S.D. N.Y.) 1 July 2003, Hackers 
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criminals to conspire more easily, without geographical proximity to one another or to the 
target (Lenk 1997, pp. 126-135). The international characteristic of cybercrime is evident 
(National Police Agency 1998). In fact, some of the cases prosecuted have been of this nature, 


for instance, R. v. Kozun,”® 


where the forensic analysis of the computer of the accused 
disclosed that 165 separate users from 15 countries had traded through his computer. The 
computer was converted into an automated trading centre through a programme, by which 
141 users had traded in the previous 13 days. 

The sphere of legal jurisdiction makes the cybercrime enforcement more complicated 
(Lee and co-workers 1999, p. 873). Smith, Grabosky, and Urbas (2004) concluded that the 
trans-national dimension of cybercrime posed four formidable challenges for prosecutors, 
who have to determine whether the conduct in question is criminal in their own jurisdiction, 
collect sufficient evidence to mobilize the law, identify the perpetrator, and determine his or 
her location, and decide whether to leave the matter to the local authorities or to extradite the 
offender (Smith, Grabosky and Urbas 2004, pp. 48-49). 

Sinrod and Reilly (2000, p. 2) have pointed out that although some international 
organizations are examining cooperative mechanisms in the field of fighting against 
cybercrime, many of their members are slow in recognizing the urgency of the situation. 

The elimination of borders favours inter-jurisdictional mobility of crime. Due to the 
actual difficulty in establishing jurisdiction, even if a certain offence is detected, it is still 


uncertain whether the way can easily lead to punishment.””” 


Reasonably, suggestions have 
been made to incorporate cyberspace into various jurisdictional frameworks. Nonetheless, this 
needs a great deal of time, agreement, and co-operation between countries, which are still 


struggling to take common actions. 





from Kazakhstan; United States v. Ivanov (D. Conn.) 25 July 2003, Russian hacker. 

*8 2007 MBPC 7. 

°°? In R. v. Burns ({2003] NICC 13(2) (12 September 2003)), where the accused cloned mobile phones, 
or exploited faults or loopholes in the internal phone systems of companies or organizations to make 
cheap or free calls at the expense of those companies or organizations, the court found that: 

“As the investigation progressed it became more wide-ranging and involved another suspect and 
its ramifications were such that it eventually spread to other parts of the United Kingdom, to Tokyo, to 
South America, as well as to New Jersey and Atlanta in the United States of America. Several large 
organizations in the United Kingdom, other police forces and international telephone companies were 
involved. When it became apparent to the police that they did not have either the specialist equipment 
or the necessary expertise to access much of the information, specialist firms had to be engaged. All of 
this took a great deal of time.” 
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Finally, it is worth noting that trans-national cases only constitute a minor part of 
cybercrime (Li 2006). No certain conclusion can be drawn because it is possible that 
trans-national offences are not as prevalent as scholars have assumed. On the other hand, it is 
difficult to reveal these offences for reasons that scholars have laid bare. Or, it may be, that it 
is simply law enforcement does not put sufficient emphasis on these offences. Before credible 
data are available to give an answer to this question, we have certain reasons to claim that 
trans-national offences have sometimes of a dual nature: they do not appear as prevalent as 
domestic offences, but they are more difficult to detect and convict. In addition, because the 
investigation of trans-national offences is more expensive and time-consuming, law 
enforcement will not give more priorities to these offences than to cases that have happened 


“close to home”. 


7.12 The rampancy of cybercriminal phenomena 


On the computer age, Bequai (1978, p. 4) said, the computer was a gigantic calculator 
enabling people to gain large quantity of data by pressing a button. When the computers are 
connected as a colossal network, “buttons” are used not only to acquire and transmit data, but 
also to replace some of the traditional interpersonal communications and social interactions. 
Collin (1999) explained the sense of the virtual world, being “symbolic - true, false, binary, 
metaphoric representations of information - that place in which computer programmes 
function and data moves.” Cyberspace has developed into a stockroom of the wealth and 
power of the information age (The London School of Economics and Political Science 2001). 
The pervasive application of ICT can be regarded as a magnitude change of the contemporary 
society. It poses new challenges to the traditional conception and system from many aspects, 
and it changes the routine activities of a large population of the members of society. This 
change, among other effects, will benefit the disorganization of the traditional social structure 
and thus increase the presence of motivated perpetrators and the exposure of their victims. As 
a phenomenon long existing in society, crime has transformed its forms and grown steadily in 
different historical periods. Criminal phenomena have always gone beyond the law. New 
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forms of crime will inevitably emerge from a continually developing society, while the law is 
not ready to guard against them. The requirement for punishing crime requires a revision of 
criminal legislation and a renovation of criminal justice. The persistent extension of the 
ranges of crime can but result in the constant extension of the regulating domain of criminal 
law. 

People longed for the industrial society in which their economic situation would be 
improved, the education level enhanced, consciousness civilized and traditional crime 
decreased. However, not only has traditional crime not decreased, but also white-collar crime 
came into being. Where white-collar crime was the offspring of an industrialized civilization, 
cybercrime concomitantly grew in hand with an informationized civilization. The 
unprecedented combination of crime and computer creates a stage of anti-productivity, 
undermining the magnificent prospects for high technology. Criminals abuse the conditions 
of the emerging market and technologies. 

The rise and prevalence of the Internet has become the prominent intervention factor in 
the development of cybercrime in the recent decade. On the Internet, exist universal 
contradiction and contention, use and abuse, defence and offence, ethic and deviance, fact 
and falsification, order and disorder. The powerful software and hardware that enable people 
to work more effectively is difficult to operate securely (Allen 2001, p. 2). Speedy 
technological evolution makes the vendors concentrate more of their time on the market, and 
less time on security features (Pethia 2001). Although computers and networks are at present 
protected by various means, the emerging vulnerabilities are inevitably increasing. 

All these considerations concerning criminal phenomena in the background of 
high-technology development does not imply that it is the technology that brings about more 
crimes. Nevertheless, we cannot deny the factor that the adoption of the new technology may 
make the crimes more profitable, and less risky (Daler and co-workers 1989, p. 21). Even 
worse, the criminal will tend to repeat his or her criminal acts-- especially when there is little 
chance of being caught or convicted. Consequently, cybercrime would pave the safest way to 
illegal profit, considering the ease with which it can be committed and the negligible chances 


of imprisonment (Daler and co-workers 1989, p. 21). 


Even under these circumstances, arrests for cybercrimes are statistically growing, just to 
take Japan as an example. There, the total number of arrests of cybercriminals increased from 
913 in 2000 to 2,081 in 2004, while it reached 1,612 in the first half of 2005 (National Police 


Agency 2005). 
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Illustrated according to the statistics of the Japan National Police Agency, Concerning the 
Situation of Arrests and Consultancy of Cybercrime in 2006, 22 February 2007. 


Figure 8 Arrests for Cybercrime in Japan in the Past Six Years 
The findings of the cyber security and cybercrime survey are another way of viewing the 
situation. Australia and the U. S. have carried out annual survey for years. In Australia, the 
ferment years when the organizations surveyed experienced incidents or attacks against their 


information systems were 2001, 2002, and 2003 (the answers in Figure 9 were given one year 


later). 
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Don't Know 


The above figure is based on the statistics from the Australian Computer Crime and 
Security Survey, collected in 1997, 1999, and during 2002-2006 annually. The figure presents 
the answer to the question “Did your organization experience computer security incidents or 
attacks against its computer systems in the last 12 months?” This figure refers to the following 
reports, even though in each report the results of several years’ survey are usually included: 


1. Australian Computer Emergency Response Team 
Crime and Security Survey, p.5. 

2. Australian Computer Emergency Response Team 
Crime and Security Survey, p.11. 

3. Australian Computer Emergency Response Team 
Crime and Security Survey, p.12. 

4. Australian Computer Emergency Response Team 
Crime and Security Survey, p.13. 

5. Australian Computer Emergency Response Team 
Crime and Security Survey, p.17. 


. 2002. 


. 2003. 


. 2004. 


. 2005. 


. 2006. 


2002 Australian Computer 
2003 Australian Computer 
2004 Australian Computer 
2005 Australian Computer 


2006 Australian Computer 


Figure 9 Security Incident Trends in Australia 


In the U. S., the zenith years of cybercrime were 1997 to 2002 (see Figure 10, the 


answers were indicators of the situation of the year previous). Both Australia and the U.S. 


show a fall in positive answers, but the victimization rates are still high. In Australia, it is 


around 20 percent. In the U. S., it is around 50 percent. In criminological language, they 


show a victimization rate of 20,000 and 50,000 per 100,000 populations. 
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Figure 10 Unauthorized Use of Computer Systems in the USA 


The above figure is based on the statistics in the reports on CSI/FBI Computer Crime 
and Security Survey done annually. The figure illustrates the trends concerning the 
“unauthorized use of computer systems within the last 12 months” in the USA over the past 
11 years. 

The figure refers to the following reports, even though in each report the results of 
several years’ survey are usually included: 

1. CSI. 2000. CSI/FBI 2000 Computer Crime and Security Survey, p. 
CSI. 2001. CSI/FBI 2001 Computer Crime and Security Survey, p. 
CSI. 2002. CSI/FBI 2002 Computer Crime and Security Survey, p. 
CSI. 2003. CSI/FBI 2003 Computer Crime and Security Survey, p. 
CSI. 2004. CSI/FBI 2004 Computer Crime and Security Survey, p. 
CSI. 2005. CSI/FBI 2005 Computer Crime and Security Survey, p. 
CSI. 2006. CSI/FBI 2006 Computer Crime and Security Survey, p. 10. 
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7.13 Rent-seeking from the exaggeration of insecurity 


The social reaction to and impression on cybercrime are broadly diversified. The general 


public who are not unfortunate enough to experience or witness real life offences usually rely 
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on the reports of the mass media. While the mass media have their own interests other than 
maintaining a peaceful and secure daily life, the texts, graphics, audio and video files they 
compose and create can distort criminal incidents. Some characteristic ways of reporting 
computer crime have been misleading, even though they play roles in reinforcing the public 
consciousness of security (Molnar 1987, p. 714). In observing the social reaction to crime, 
Felson (2002) coined the term “dramatic fallacy” as one of his “ten fallacies about crime”:° 
media have interests in seeking strange and violent incidents to keep their ratings high, in 
which process a highly inaccurate general picture of crime is painted (p. 1). 

The tendency to dramaticize and mystify offences that the general public do not often 
hear about and see stems from the benefits gained by the mass media from their show-off 
through selective reports. They choose to broadcast what they consider capable of attracting 
an audience, while at the same time they keep a silence about events in which they have less 
interest. The most important principle of the media is to be authentic. However, their 
authenticity is built on selective reports. First identified by Gordon Tullock (1967), 
rent-seeking finds its way into cyberspace. Anderson (2001) has contributed to the study of 
exaggeration of cyber insecurity by pointing out in his paper that many interest groups would 
unavoidably engage in manoeuvring the truth of the cyber insecurity to benefit from the 
scared market. 

The players may include the mass media, the security engineering community, security 
professionals, police officers and even professors (Anderson 2001). Schneier (2004, pp.87-89) 
has criticized the fact that software vendors may have an incentive to exaggerate insecurity. 
In fact, Hoo (2005, pp. 67-69) has suggested that straightforward, cheap measures are much 
more worthwhile than large projects that many security vendors prefer to sell. There is 
definitely a problem that many organizational users leave their computers on and online the 
whole night after work, many without complex access control. Broadband networks provide a 


convenience for individual and organization users to keep online 24 hours a day, and seven 





*©) These ten fallacies about crime comprise a dramatic fallacy, a cops-and-courts fallacy, a not-me 


fallacy, an innocent-young fallacy, an ingenuity fallacy, an organized-crime fallacy, a juvenile-gang 
fallacy, a welfare-state fallacy, an agenda fallacy and a whatever-you-think fallacy. See Felson (2002), 
pp. 1-18. 
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days a week.*°! Sometimes those who are their contacts can even find their online status in 
the chat or e-mail systems. The 24-hour-online model is practically more risky than a dial-up 
service in terms of longer online time. 

Doing this research, I have found that many manufacturers of computer hardware and 
software also have a tendency to provide a darker picture to users when presenting the 
problem of cybersecurity. This becomes easier to understand when we recall that these 
manufacturers are striving to survive the growing threats of consumers’ awareness against the 
market of their products. In order not to subject them to product liability, they have to adopt a 
preparatory stance of impressing the users and judicial organs that the reason for cyber 
attacks lies not in the defects of their products but in the malicious motives of the 
perpetrators. 

While many people are motivated to exaggerate the truth, Harvey (Financial Times, 3 
December 2003) has claimed that cyber terrorism remains an insignificant issue in real life. 
Evidence can be seen from the detailed documents such as “A Chronology of International 
Terrorism for 2004”, in which none of the incidents that caused deaths and injuries have 
employed or targeted computers and networks (National Counterterrorism Centre 2005). In 
fact, if we consider the urban-crime problem in the U. S., as Miethe (1995, p. 15) did, more 
than one-fourth of the households were victimized by crime in 1992, while one-half of the 
population would be victimized by a violent crime in their lifetime. The natural reaction is 
that cybercrime remains a less than prevalent fear. Although what Wasik (1991, p. 150) 
suggested that in the future information systems can be used in cases such as murder and 
injury, the traditional “direct-contact predatory crime predominates” in present society 
(Felson 2002, p. 23). Apparently, however, the people who are currently engaged in various 
security services may more easily grasp the more powerful mass media coverage than the 
traditional offences. The Internet as a part of the mass media airing news about a new 
computer virus is far more spectacular than what traditional newspapers, radios or TV 


programme can do about a theft, fraud or murder. By all accounts, most of the current 





*6! Traditional networks are through dial-up connections. Now, two methods of broadband service are 


digital subscriber line (DSL) and cable modem service. Fiber optics, etc. are gaining ground. See 
Earthlink Inc. vs. FCC, District of Columbia Circuit No. 05-1087, 15 August 2006. 
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popular knowledge about cybercrime comes from the mass media, regardless of the degree of 


reliability of such sources. 


7.14 Conclusions 


According to the basic conclusions of the last sections, we have identified a number of 
factors that complicate the reporting, detection, investigation, prosecution, conviction, and 
sentencing of cybercrime. People call for making the punishment fit the cybercrime (Vamosi 
2003). However, practicable methods of enhancing law enforcement have not been at hand. 

The development of cybercrime necessitates a timely update of the law, as some 
countries have done. However, it seems that the laws implemented are inadequate for 
effectively addressing the problem (Vamosi 2003). An example of this aspect can be found in 
the definition of fraud in U. K. The traditional fraud definition required that a person but not 
a computer be deceived (Daler and co-workers 1989, p. 125). Thus, the application of fraud 
provisions has depended on whether a person has also been deceived. These authors have 
mentioned that only in other countries, not the U.K. have the provisions on fraud been 
interpreted more broadly. 

According to the McConnell International (2000, pp. 3-6), only 31 percent of the 
countries surveyed had substantially or fully updated their laws, 15 percent partially updated, 
while more than half of the countries had no updated laws. According to the principle of 
legality, the absence of a law punishing cybercrime sets the deterrent probability at zero, 
while the actual punishment is also zero. This being the situation, the expected utility of the 
offender equals the utility when he or she is undetected. By recognizing this benefit, the 
potential perpetrators will have a greater incentive to commit cybercrime than other offences. 

As the conclusions of McConnell International (2000, p. 8) have demonstrated, light 
punishments create limited deterrence. The possible reason why creating a virus carries 
lighter penalties than marijuana offences (McCullagh 2004) may be due to the elasticity of 
these two kinds of crime from the economists’ point of view. Unlike the marijuana offences 
that are inelastic, cybercrime is more elastic. Tougher punishment for drug crime will be less 
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effective than for cybercrime. However, considering the marginal deterrence when the effect 
of punishment is too weak to stop cybercrime, this definitely does not deter, either. Lack of a 
certain degree of severity in punishment will not prevent potential criminals from committing 
the crimes they are planning, because even if they are probably caught, their expected benefit 
will still be higher than the expected cost. It is the marginal deterrence of the punishment but 
not the elasticity of the crime that is working. 

However, at the same time, methods adopted in some countries cannot be completely 
explained by the above theory. Take the example of the application of long-term 
imprisonment for offences with a low detection probability. The expenses of the long-term 
imprisonment are quite huge. Thus, it may be said that under these circumstances, 
governmental investment is insufficient when the emphasis is put on punishment, and 
detection is ignored. This relates to the value orientation of the government. 

Some other countries completely violate the principle of rational choice. They seem to 
find it difficult to afford adequate funding for detection, conviction, and enforcing 
punishment, while on the other hand they have established a cyber police, employing huge 
police forces. The tasks of these cyber police include detection and evidence collection, as 
well as cybercrime prevention with techniques and human resources, forming a “cyber 
information dam”. The expense is also huge. As Dnes (2000, p. 75) pointed out, it is of very 
poor value to increase the probability of conviction through employing more police officers. 

In these countries, the concerns about the privacy of individuals have to give way to 
national security and the maintenance of social order. This means that in the information age, 
the public organs receive ever greater powers of surveillance and interception. Since the 
1990s, the terrorists have frequently launched attacks; and individualism is gradually being 
submerged by the voice of national interests and international co-operation. The role of 
punishment in the deterrence of crime is undoubtedly unearthed. Whether in poor or wealthy 
countries, severe punishment is being used universally for cybercrime. This can be explained 
as decreasing the expected benefits of cybercrime while increasing the expected costs, 
forcing the offenders to give up committing the offences and to select instead legal activities. 
This implies that the means the modern countries take to decrease crime are direct prevention, 
plus increasing detection probability and increasing punishment severity. 
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Nevertheless, the following factors deserve further consideration. First, it remains a 
doubtful question as to whether the information dam can effectively control the information 
flood. The filtering and blocking of information is expensive and ineffective. As a substitute 
for severe punishment, it is either a necessary waste of democracy (compared with 
over-criminalization), or a necessary limit to democracy (compared with information 
freedom). In order for cybersecurity to be maintained, the private sectors and the public 
authorities should cooperate to strengthen the legal frameworks for cybersecurity (McConnell 
International 2000, pp. 8-9). 

Secondly, a surer answer can be provided to the question of whether severe punishment 
is cheap. There have been hundreds of studies done concerning the cost of the death penalty, 
proving that the death sentence is expensive as well as being easy to execute the innocent. 
These have become common-sense reasons for repealing the death penalty. The cost of 
imprisonment is also high. Because the cost of severe punishment is costed differently in 
different countries, the legislature and law enforcement have a different tendency in 
implementing various degrees of severity in implementing punishments, which can bring 
about further jurisdictional problems. 

Finally, what should be researched is whether severe punishment is effective. Given that 
the probability of detection remains extraordinarily low, and that there is no appropriate 
approach to increase it, a severe punishment again runs up against a limitation. A severe 
punishment to some extent requires the support of the probability of detection. If not, it loses 
the basis on which it exists and delivers little deterrence at all. 

Cybercrime differs from traditional crimes in its universality, anonymity, concealment, 
and complexities. While quantitative evaluation of cybercrime has proved difficult, the fight 
against cybercrime has become a big burden for companies. Because of difficulties in 
detection, investigation, and conviction, the dark figure of cybercrime remains high. The 
harsher penalties should be applied to pursue effective deterrence, but in themselves they do 
not serve protection. 

In effect, we are still repeating Radzinowicz and King’s dilemma (1977): the perpetrator 
may escape detection, the detected perpetrator may escape arrest, the arrested perpetrator may 
not be brought to book due to lack of evidence, the perpetrator brought to book may be 
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released because his innocent context or trivial offence, the prosecuted perpetrator may escape 
conviction, and the convicted perpetrator may only be imposed a light penalty (p. 41). 

The themes explored in this chapter show that there is no easy way of bringing 
cybercriminals before the judicial process. Nevertheless, as the next chapter will show, the 
increase of cybercrime is constant, and the reinforcement of deterrence is a constant need, yet 
for these two forces to reach equilibrium is still an on-going process. While Chapter 8 deals 
with temporal dimension of the phenomenon, Chapter 9 concludes that there is a time-lag in 
criminalization, but mainly turns to the spatial dimension to discover the problems existing 


among the various jurisdictions. 
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CHAPTER 8. UNBALANCED SCALE: THE HISTORICAL DEVELOPMENT OF 
CYBERCRIME AND DETERRENCE 


8.1 Basic observations on the development of criminal phenomena 


After revealing multi-dimensional obstacles in dealing with cybercrime, this chapter will 
present a retrospect of the history of cybercrime and relevant legislative and judicial 
practices. 

“History is full of nightmares, some natural, some manmade.” (Clarke 1997, p. 223) 
Nightmare or not, the computer raises problems. The computer was an invention that people 
could not imagine until it was clear what it happened to be. Before the digital computer had 
been invented, Thomas Watson, the former chairperson of IBM predicted in 1943 “I think 
there is a world market for maybe five computers.” Although different answers to questions 
“what exactly is a computer?” and “how many generations of computers have been 
developed?” are still running parallel,’ it is widely accepted that the first electronic digital 
computer was invented in the 1940s, in the final years of World War I (Hamilton 1973, p. 
82). The more notable example is the Electronic Numerical Integrator and Computer 
(ENIAC), invented in the U. S. in 1946 and since then, according to Tarkhov (1999), 


computer technology has experienced four generations.”” 





*® According to National Conference of Commissioners on Uniform State Laws, Uniform Computer 
Transactions Act (UCTA, Amended 2000, 2001), the computer is defined as “an electronic device that 
accepts information in digital or similar form and manipulates it for a result based on a sequence of 
instructions.” Section 102 (9). However, under different definitions, the computer might be a different 
device. The general sense of a computer today is a device related to the electronic processing of digital 
data. 

*®3 Tarkhov, S. Generations of the Computers: From Lamp Monsters to Integrated Chips, September 
1999. Retrieved 15 March 2007, from http://www.bashedu.ru/konkurs/tarhov/english/generat.htm. The 
timelines are: 1st Generation in 1950s, 2nd Generation from 1959 to 1963, 3rd Generation from 1963 
to 1975, and 4th Generation from 1975 to today. There are also other arguments. For example, Grauer 
(2001, pp. 7475-7476) argues that the first generation of computers before the 1960s was characterized 
by electronic tube and later transistors; the second in 1970s, miniaturized integrated circuits; the third 
in the 1980s and early 1990s, a very large-scale integration of circuits; the fourth since the 1990s, 
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Along with the continuous development of information technology, computer crime 
may, in principle, have been taking place since the very invention of the computer, but at that 
time, it neither became a significant problem nor caused great concern. Meanwhile, the 
development of computer crime should have kept pace with computer technology. The 
computer developed from a calculator to a word processor to a multimedia device. Besides 
the research on the history of ICT (Cortada 2002), the history of the computer (Allan 2001; 
Kuck, 1978, pp. 52-72); the history of the Internet (Okin 2004) or of online information 
services (Bourne and Hahn 2004), and history of computer ethics (Bynum 2001), scholars 
have also explored the history of cybercrime (Overill 1998), and particularly, the history of 
the hacker (Thomas 2002; Peterson 2003; Raymond 2001, covering 1945 to 1990s), or the 
viruses (Dvorak and Pirillo 2004). Some scholars have researched into the history of the 
legislation on cybercrime. Ulrich Sieber (1996), for example, concluded that countries have 
adopted various forms of legislation, and undergone several waves from the 1970s, 
addressing different problems respectively. They provide a valuable foundation for analysis 
in this dissertation. The different focuses in these researches do not deliberately furnish any 
organic links between the development of cybercrime and the development of deterrence. Yet 
these links are denoted as the primary concern of this chapter. 

The chapter attempts to carry out a diachronic inquiry into the history of cybercrime and 
legislation. Cybercriminal phenomena and the deterrence of punishment through law 
enforcement and social prevention are undergoing a process of development. The history of 
cybercrime can roughly be divided into four stages: a stage of germination, a stage of rapid 
development, a stage of broad expansion, and a stage of routinization. Furthermore, the 
criminal-law reform relating to cybercrime has never been completely synchronous with 
cybercrime due to a hysteresis in both the law enforcement and legislation compared with the 


relevant criminal phenomena. 


8.2 Computer hackers’ discovery of a lawless new frontier 





dominated by a very fast growth of Internet users. 
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Upon the hypothesis that computer crime emerged soon after the invention of the first 
computers, the first stage of computer crime began from the late 1940s and lasted through the 
late 1960s, when the general public paid more attention to usability, utility, efficiency, and 
development of the computer, and considered that the computer system was “occasionally 
unreliable,” but “usually secure” (Dunlop and Kling 1991, p. 524). Unlike today’s universal 
use of computers, there was hardly a computer “market” in this early stage. The manufacture 
or installation of a computer is an expensive and time-consuming work. However, during this 
stage, computer crime emerged in the context of a limited number of computers in use, but 
the legislature did not provide any specific countermeasures against the phenomenon, leaving 
law enforcement to deal with it within the traditional legal framework. 

Earlier studies implied that electronic computer” crime most probably emerged in the 
fields of military, engineering, science, finance and commerce at the beginning of the 1950s. 
Nevertheless, the earliest documented computer abuse, which involved the alteration of bank 
records, occurred in 1958 (Parker 1989, p. 5). The case became the first Federally prosecuted 
computer crime in the U. S. in 1966, with a time-lag of eight years. It was revealed that a 
bank employee had utilized the institution’s computer to embezzle cents from interest on 
long-term accounts (ibid.). The financially motivated employee created a criminal precedent. 

Within less than two decades, worldwide computer installations increased from four 
hundred at the beginning of the 1950s to 60,000 at the end of the 1960s (Hamilton 1973, p. 
82). Even so, the scarcity of the new machine still attracted potential users to hack, to gain 
access, and to utilize unauthorized computer time. The term “hacker” in the traditional sense 
was not regarded as computer crime, but as essentially pertaining to computer security. The 
rise of the hacker culture can be dated to 1961 when the Massachusetts Institute of 
Technology acquired the first computer used for commercial time-sharing (Digital 
Equipment Corporation (DEC), Programme Data Processor-1, 1963). The expensiveness and 
rareness of computers necessitated a shared use of these machines to extend their utility as 
widely as possible, in which the boundary between authorized and unauthorized use was 
vague. However, at the same time, a security concern originated due to the breach of access 
control (Association for Computing Machinery Professional Knowledge Programme 1997). 
The exploited processing ability, loss of computing time and even waste of electricity 
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alarmed computer owners. Notwithstanding, the computer systems were not generally 
confronted with threats as serious as the phone systems were. In consequence, the U. S. took 
action to prevent tampering with the phone system (Meinel 2004). Being an early form of 
hackers, phreakers’ intrusion into and interference with the telecommunications system 
became a kind of punishable offence. 

War has been the perpetual inventor in history. Although the apparent causal relation 
between the Cold War and the ARPANET was not widely acknowledged in available 
literature, the latter was surely a product to deal with the threats of a “Hot War” against data 
transmission system. The advantage of this invention was that even if one part of the system 
was destroyed by war, particularly by nuclear weapons, the system could function in its other 
parts through rerouting (Okin 2004, particularly, p. 132). The Internet began in the 
mid-1960s as a programme created by the U. S. Department of Defence to build a 
decentralized network that would provide a communication between various sectors of the 
government in the event of nuclear war or an attack on the U. S. (Hafner and Lyon 1998, pp. 
10-14). The nature of the Internet determined that it was connected primarily to some 
important institutions, but was not open to the general users. An intrusion of the networks 
would endanger interests that were mainly military and those of advanced science and 
technology. 

At the beginning of this first stage, there was neither cybercrime nor cybercriminal law 
in the social and legal environment. When the first computer crimes occurred, no law was 
ready to deal with them (Chen 1990, pp. 71-86; Nelson 1991, pp. 299-321). With the 
emergence of the cybercriminal phenomenon, the principle of “nullum crimen, nulla poena 
sine lege” was applied to protect the fundamental rights of the perpetrators from punishment 
outside the law. Except for the reluctant application of old laws, there was neither a 
cybercrime prohibited by law nor a law enacted against cybercrime. Lack of punishment 
reduced the expected cost of the criminals, which were composed thus of moral costs and 
substantial costs, specifically, the perpetrators’ necessary devices and labour in cybercrime. 
Because there was no cybercrime law, there was neither expected punishment nor the 
expected cost induced by the expected punishment. Under such circumstances, the 
probability of conviction equalled zero. The expected utility of the perpetrator almost 
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equalled the utility of a situation in which crime went undetected or unpunished. According 
to an economic analysis of crime (Becker 1968, pp. 169-217), those who are risk-indifferent 
are indifferent to detection and conviction. For those who are risk-lovers, cybercrime 
becomes a new cause, a new chance, a new challenge, and a new type of risk (see also 
chapters 2 and 3). For those who are risk avoiders, because of the low risk of detection and 
conviction rate of cybercrime, they transfer from other offences to cybercrime. Therefore, the 
number of cybercrimes and perpetrators will inevitably increase. 

Apart from the gap in legislation when the first cybercrime emerged, law enforcement 
had insufficient capacity to deal with it. However, they tried towards imposing punishment 
through application of existing laws. These provided for a preliminary deterrence on 
cybercrime, which could be used to deter the potential offenders of existing types of crimes 
proscribed by existing laws, but was inadequate to deter potential offenders of the types of 
crimes not proscribed explicitly by law. The principle of legality and the limited possibility of 
the legislation restrained the coverage of the law and law enforcement, leaving considerable 
loopholes and having little deterrence on offences that remained untouched by law. As a 
result, deterrence brought very low expected costs for these perpetrators. 

At the same time, existing laws were applied to the limited number of computer crime 
cases in countries such as the U. S. In filling the legal gap, the passage of computer crime 
legislation by states lagged behind computer abuses, and did not happen in this period. 
Furthermore, the debate about computers and personal information only began in the late 


1960s (Wood 1982, p. 111). The debate did contribute to providing some forms of deterrence. 


8.3 The rise of the law against the increasing number of cybercrimes 


Following the first stage, the subsequent two decades form the second stage, which 
began from the 1970s and lasted to the end of the 1980s, during which along with 
individuals’ and organizations’ increasing dependence upon computers, the threats of 
computer crime increased. The general tendency was that computer crime continued to 
increase in volume with a change in methods, while a legal response also began to emerge. 
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Understanding of the nature of the computer continued developing. In a British case, R. 
v Wood, the court held that “The computer was used as a calculator, a tool which did not 
contribute to its own knowledge but merely carried out a sophisticated calculation which 
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cannot have been done manually.” 


It was not a rare situation that even many 
commentators doubted the acceptability of the computer, predicting only with extreme 
carefulness that: “The electronic computer would be technology’s most successful machine 
were it not for the difficulty that people have in accepting it.” (Hamilton 1973, p. 81) Others 
already began to long for the “post-industrial society” (Bell 1974), where the computer would 
not only be broadly used but also be addictively depended on. 

Technological thought developed fast in changing the image of the computer in the 
1970s, from a bulky mainframe that filled a building to a computer in a desk; and in the 
1980s, from a desktop to a host of old and new devices (Mosco 2004, p. 21). The focus of 
this philosophy is that: “The computer would be growing in power while withdrawing as a 
presence.” (ibid.) The philosophical imagination and the technological development of new 
intelligent instruments were propelling an information revolution. Comparatively instant and 
cheap, an e-mail message could be sent from New York to San Francisco in less than a 
minute for about one dollar, as Fetherolf (1982, pp. 216-217) said. The futurist Castells bore 
witness to the fact that: 

“We are in the middle of a major technological revolution that is transforming our ways 
of producing, consuming, organizing, living, and dying.” (Castells 1985, p. 11) 

While technology advanced beyond the ability of the average citizens’ understanding,” 
the operation of computers remained straightforward and vulnerable to criminal manipulation 
(Bequai 1979a, p. 107). According to Bequai, computer crimes during this period fell into 
five key categories, specifically, vandalism, theft of information, theft of services, theft of 
property, and fraud (1979a, pp. 106-107). Both the merely psychic satisfaction and the 
pecuniary gains motivated users to practise unauthorized access to the machines, or to 
information in the machine, hacking for use only being a less guilty act. In fact, before the 


1970s, “using” computers without authorization was more excusable because the available 





264 R. v Wood [1982] 767 Cr. App. Rep. 23. 
6° State ex rel. McCleary v. Roberts, 88 Ohio St.3d 365, 2000-Ohio-345. 
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computers were still insufficient. Later in the 1980s, more computers were available and it 
became unnecessary for general users to intrude into others’ systems. Therefore, 
unauthorized “use” of computers no longer provided an excuse and became labelled “abuse” 
in legal terms. 

During this period, there were only some fragmentary reports of computer abuses and 
accidents. However, the less bulky, low-cost computer attracted an unprecedented number of 
hackers with various motivations. Computer crime was comparatively new and authorities 
reacted in a sluggish manner. It was found that the threat of computer crime was pretty 
relentless. For instance, the average loss of computer crime was dozens or hundreds of times 
that of conventional crimes, regardless of whether the hackers obtained monetary benefits or 
psychological satisfaction. 

Within this stage, the term “cyberspace,” first coined in a fictional work by William 
Gibson (1984) to describe the environment within which computer hackers constructed a 
virtual community, became prevalent. In 1978, nevertheless, a perpetrator deprived a bank of 
10.2 million dollars in the Rifkin case (Forester 1990, p. 263). In 1982, a group of hackers 
intruded into a computer with records of cancer patients’ radiation treatment, modification of 
which might threaten the lives of these patients. Murder became realistic with the computer 
as a tool (Milhorn 2005, p. 59). In 1986, Stoll uncovered an international espionage 
conspiracy (Longstaff and co-workers 1997, p. 234). These cases expressed again the 
potential threats of the hackers against property, life, and state security. 

On the other hand, the development of computer technology, which was designed for 
social welfare, also constituted a significant source of threats to the social order. Similarly, 
the history of technology has been filled with dilemmas of such a kind. For example, 
primitive weapons may exactly be productive tools and vehicles may be hijacked. What was 
going to happen —unfortunately- in the field of computer science was that something 
destructive would be invented. For example, Dan Edwards coined the term “Trojan Horse” in 
1972, denoting an apparently benign macro or utility with undocumented side effects, which 
may be security violating or palpably destructive (Overill 1998). The Trojan horse caused 
great security anxiety with institutions such as the military (ibid). 

Although it is not an exclusive argument, it has been broadly acknowledged that it was 
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in 1984 when Fred Cohen defined a computer virus in his paper (1984). The threat of 
malicious programmes such as a Trojan Horse, a virus, a worm, and a logic bomb, all came 
into being during the 1980s, and necessitated the first business of anti-virus in 1988 (F-secure 
2005). These soft offensive and defensive weapons were expected to play their roles in the 
information warfare in the near future. 

The computer network still played a tiny role during this period. As Clarke (1984) 
pointed out: 

“Even for highly developed countries, these [data and computer networks] are still in 
their infancy, though they undoubtedly represent the wave of the future.” (p. 27) 

Nevertheless, computer security incidents increased steadily with the development of 
computer networks. Losses due to computer crime had been incessantly escalating. In 1980, 
losses from computer fraud and other abuse of computer systems in the U. S. alone were 
estimated to exceed 300 million dollars (Wood 1982, p. 69). In contrast, although software 
theft found its way in 1964 (Forester 1990, p. 3), and in the late 1970s, large-scale piracy 
became common due to the use of the personal computer and packaged software (Forester 
1990, p. 4), there have been very few breaches of privacy reported (Wood 1982, pp. 
118-119.). 

In the early 1970s, according to Sieber (1998), most developed countries introduced 
laws criminalizing computer crime. More laws and regulations were implemented in more 
countries in the 1980s. Within this period, all of the Nordic countries had their 
data-protection laws in place.*®° Countries made every effort to eliminate legal gaps to 
punish cybercrime. The characteristics of legal countermeasures during this stage were that: 

There were merely fragmental computer crimes and fragmental legislations; 

Legislation concerning computer crime was generally concentrated in a developed 
country; 

New crimes such as time theft posed considerable contradictories in the field of law 


(BloomBecker 1981, pp. 16-17); 





6° Such as Swedish Data Act 1973, Norwegian Data Registers Act 1978, Danish Freedom of 
Information Act 1985, Finnish Personal Data File Act (Act 471/1987), and Icelandic Act respecting 
Systematic Recording of personal Data 1989. 
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Laws were not effective enough (See Dierks 1993, pp. 307-342; see also Rosenblatt 
1990, p. 35), and there was a general “lack of deterrence” (Bequai 1978, pp. 5-6). 

In short, at the second stage of the development of cybercrime and deterrence, 
cybercrime was in its growth period, with both the extent of cybercrime and the supply of 
perpetrators increasing. Although the costs of cybercrimes were continually increasing due to 
the increasing legislation and law enforcement, they were lower than other well-punished 
crimes. Thus why rational criminal investors rushed into the new field. Countermeasures 
against the increasing crimes increased deterrence, which represented an increased 
probability of detection by new police forces and an increased severity of penalty through 
new laws. In the development of the struggle between cybercrime and punishment, most 


types of cybercrimes emerged and to a certain extent were deterred. 


8.4 A legal system wrestling with networked adversaries 


The pace of cybercrime became faster and faster. The third stage roughly covered the 
whole of the 1990s, when cybercrime expanded and the relevant legislation was broadly 
implemented. During this period, personal computers entered homes and offices throughout 
the developed world and even in the less-developed countries (Mosco 2004, p. 2). Bill Gates’ 
The Road Ahead (1995), Nicholas Negroponte’s Being Digital (1995) all concentrated on 
building a new world in cyberspace. Tapscott (1996) announced that: 

“Today, we are witnessing the early turbulent days of a revolution...A new medium of 
human communications is emerging, one that may prove able to surpass all previous 
revolutions...in its impact on our economic and social life.” (p. xiii) 

Although the information revolution was processing with different styles in countries at 
a different economic level, the impact of computers on society seemed to be reaching into 
every aspect of social life (Mosco 2004, p. 18). Alongside the scientists who were hopeful of 
the new development, the politicians in addition attempted to connect computer 
communication, economic growth, democracy, and a better environment. As Al Gore said: 

“..[W]e will derive robust and sustainable economic progress, strong democracies, 
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better solutions to global and local environmental challenges, improved health care, and...a 
greater sense of shared stewardship of our small planet.” (Gore 1994) 

However, since the 1990s, cybercrime had entered a rapid process of globalization. 
Initially funded by the government, and limited to academic and official uses, the interest in 
the commercial use of the Internet began to be satisfied from the early 1990s; since then, 
computer networks have attracted great public attention (Kollock and Smith 1999, p. 3). The 
U. S. introduced the concept of the National Information Infrastructure (NII) to “unleash an 
information revolution” (Rowland 1998). With the invention of the WWW, access to the 
Internet was available to average users. The growth of the Internet was surprisingly fast. 
From then on, global computers connected to and users acquiring access to, the Internet were 
confronted with threats from a globalized cyberspace. Following the last stage, cybercrimes 
have developed into forms that are more complicated. The cyberspace where perpetrators 
lived, the virtuality that they wanted, the cable by which they were linked, the knowledge that 
they had acquired, the tools that they invented, and the platform on which they shared 
information provided criminals of different degree of sophistication with new incentives. 

Personal information could be caught during the transmission process. Personal 
computers could be attacked during voluntary surfing of the Internet. Web sites could not 
only be tools by which attacks were carried out, but could also be targets for attacks. 
According to the statistics by Alldas.de, about 72 web sites were defaced by 47 attackers in 
1998, about 1,079 web sites defaced by 430 attackers in 1999 (Li 2003). The General 
Accounting Office reported 250,000 attacks against the U. S. Department of Defence 
computers in 1995. °°7 These numbers represented different aspects of the situation of risks 
and threats on the Internet. 

Cybercriminals also found their way into electronic communications, such as the e-mail, 
the abuse of which became an advertising means for underground marketing, or an annoying 
forum. The large-scale unsolicited e-mail became known as spam (Kelly 2002), which has 


been converted into one of the side products of electronic marketing. 





67 Union Calendar No. 468, the 104th Congress, second Session, House Report 104-861, Federal 
Government Management: Examining Government Performances as We Near the Next Century 
Eighteenth Report, by the Committee on Government Reform and Oversight together with Additional 
and Minority Views, 28 September, 1996. 
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Moreover, a series of attacks from malicious programmes happened (Drummond and 
McClendon 2001), and web sites suffered great threats. The businesses of anti-virus and of 
the security services continued developing. By 1990, many anti-virus products were 
introduced from big companies. To some extent, this indicated that the security-induced cost 
of individual and organizational users had further increased. 

The victimized entities began to report enormous losses caused by the infringement of 
intellectual property. Many web sites, software authors and ordinary Internet users adopted 
various ways of transferring and exchanging pirated works. The infringement of copyright 
text, audio, video and multi-media works had entered a stage that seemed impossible for any 
of the existing authorities to control. 

Cybercriminals attacked various private and public targets all over the world, in respect 
of which some hacking investigations were successful in arresting the perpetrators. In the U. 
S., the FBI opened 547 cases of “computer intrusion” in 1998, while the number of such 
cases increased up to 1,154 in 1999 (Freeh 2000). The financial crisis in Asia and a series of 
bankruptcies of big enterprises also alerted attention to the fact that cybercrime could bring 
about disasters to the global economy. 

Starting from this period, with the rapid rise of the Internet, the influence of the Internet 
on cybercrime began to be considered in legislation, the contents of which became rich and 
the range of which was expanded. The gradual formation of international harmonization 
affected some national legislation. Computer crime and relevant legislation was globalized, 
expanded from developed countries to less developed countries and to developing countries. 
Law enforcement also took a series of measures against cybercrime. For example, in 1990, 
the U. S. organized a nationwide crackdown on cybercrime, leading to successful arrests, 
criminal charges, a dramatic show-trial, a number of guilty pleas, and massive confiscations 
of digital evidence and equipment (Sterling 1994). 

From the above analysis, it can be found that at the third stage of development, 
cybercrime tended to be saturated and the growth rate was thus decreasing. To reach this 
stage, most types of cybercrimes emerged and been criminalized, the probability of detection 
had reached a higher level, severity of punishment had reached a higher degree, and most 
potential users of computers and networks were connected, leaving little space for the 
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undeterred types of cybercrime. The marginal benefits of one more case of cybercrime was 
going to decrease, while the marginal costs of one more case of cybercrime was going to 
increase (for general theory about marginal costs and marginal benefits of crime, see Becker 
1968; for modern application of this theory, see Cooter and Ulen 2003). Therefore, 
cybercrime tends was being saturated. At this stage, deterrence continued to increase to a 
certain extent, until it reached the completeness, specifically, the optimality of marginal 


utility. 


8.5 The equilibrium between cybercrime and deterrence 


Although the commencement of the year 2000 witnessed a surprising breakdown in the 
network economy boom (Mosco 2004, p. 45), the cybercriminals did not demonstrate any 
sympathy with the dot coms” nor with the stock markets. The fourth stage developed 
roughly from the year 2000, when cybercrime was becoming routinized, and the legal gap 
filled. 

The large-scale Denial of Service attack against high profile web sites created great 
panic in society about the Internet infrastructure (Levinson 2002, pp. 524-525). A long list of 
viruses that were written by people who were in jurisdictions where there was no law against 
hacking, that were written by means of specific software, which included multiple methods 
of attacking, that caused billions of dollars of losses, and that disabled anti-virus products, 
indicated the seriousness of the threat and the necessity for the countermeasures (See Katyal 
2001, pp. 1003-1114). 

In contrast to these anarchist attacks, the advance-fee fraud induced the victims to 
transfer money voluntarily to the criminals. The advance-fee fraud, or 419 fraud, which was 
named after the applicable section of the Nigerian criminal code and was committed in a 


more organized manner, has victimized people from around the globe.” The average 





*68 Dotcom denotes “a commercial company that operates through the Internet.” See Daintith (2004), 


p. 163. 
*® Nigerian Criminal Code, Chapter 38, Section 419 simply provides for the crime and punishment of 
fraud: 


252 


Nigeria 419 victim has lost 5,575 dollars, making 419 fraud one of the most costly financial 
frauds for individuals (Fager 2002, p. 20). 

As to the increase of web sites, attacks against web sites rapidly increased. According to 
the statistics of Alldas.de, about 4,394 web sites were defaced by 2,255 attackers in 2000, 
while about 4,797 web sites were defaced by 667 attackers in the first season of 2001 (Li 
2003). The defacement of web sites became a significant problem comparable with graffiti 
street buildings. 

The quantity of cybercrime incidents and malevolent attacks has, nevertheless, fallen 
from year to year since 2001. According to a survey conducted by the CSI and the FBI in 
2003, general financial losses totalled, from 530 survey respondents, 201.7 million dollars, a 
sharp drop from the previous survey total of 455.8 million dollars. In the 2004 survey, overall 
pecuniary losses totalled, from 494 survey respondents, 141.5 millions dollars (CSI 2004). In 
2005, the survey indicated losses, from 639 respondents, that totalled 130.1 million dollars 
(CSI 2005, p. 14). The reasons for these reduced figures were not clear, but the improved 
security measures, law enforcement, legislation and international cooperation may all 
contribute to prevent cybercrime. 

Many developed and developing countries have implemented cybercrime laws. From 
the point of view of International harmonization, the Convention on Cybercrime entered into 
effect on 1 July 2004. Starting from the 9/11 attacks, a serious international concern about 
cyber terrorism was brought about the by large-scale distributed denial of service attacks,””” 
and it spread among governments, legislatures, law enforcements, and academia. 

At the fourth stage, due to the decrease in the marginal utility and increase of the 
marginal cost of one more crime, and the constant increase in the means of deterrence, total 


number of cybercrimes has shown a prospect of decrease in so far as the potential perpetrator 





“Any person who by any false pretence, and with intent to defraud, obtains from any other person 
anything capable of being stolen, or induces any other person to deliver to any person anything 
capable of being stolen, is guilty of a felony, and is liable to imprisonment for three years. 

If the thing is of the value of one thousand naira or upwards, he is liable to imprisonment for 
seven years. 

It is immaterial that the thing is obtained or its delivery is induced through the medium of a 
contract induced by the false pretence. 

The offender cannot be arrested without warrant unless found committing the offence.” 

*1 Distributed denial of service is a form of denial of service launched from many computers in 
different locations. See Daintith (2004), pp. 159-160. 
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realizes the fall in the optimality of benefit from cybercrime (for general theory about 
marginal costs and marginal benefits of crime, see Becker 1968; for modern application of 
this theory, see Cooter and Ulen 2003). The cybercriminal will, additionally, have to take 
higher risks than before. It turns out that risk-avoiders will retreat from cybercrime, that those 
who are risk-neutral and risk-lovers will also discover it less attractive to commit cybercrime 
than other crimes, and tend to discontinue their adventure. Under such circumstances, the 


deterrence exercised by legislation and law enforcement can ultimately be recovered. 


8.6 Conclusion 


During recent decades, society has experienced a fast and frightening increase in both 
information systems and information transgression. The development of cybercrime follows a 
route of innovation of the ICT, generations of computers, enlargement of the networks and 
emergence of anti-security techniques. The faster the speed of information processing is, the 
broader the network connection covers, the more users are engaged in the information 
industry, and the more dependent on information modern society becomes, the higher the 
risks and the more serious the threats people will have to face. Naturally, the number and 
gravity of cybercrime will also increase. However, any increase will not be limitless. 

The basic summary of the historical scene revolving around cybercriminal phenomena 
presents us with the reality that the increase of both cybercrime and deterrence remain 


unbalanced. In a word, people do much, but not enough. 
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CHAPTER 9. DILEMMAS IN THE CRIMINALIZATION OF CYBERCRIME 


9.1 Introduction 


Previous chapters have placed on the scale many weights on the side of factors 
favourable to crime. From this chapter onwards, I am starting to recover the balance by 
adding more weights on the other side of the scale where the preventive factors are located 
and doing this mostly by revealing the differences and difficulties in legal development. 

This chapter will first explore a time-lag in criminalization, stated in Chapter 8, Section 
8.6, and which is still one that falls into the temporal dimension. The other sections will be 
devoted to exploring the spatial dimension of criminalization, that is, the differences between 
the various countries. 

The general objective of the legal framework is to promote the welfare of human beings. 
In particular, the functions of criminal law have been designed to protect society from harm, 
deter crime, and maintain the legitimate rights of the criminal. The practical threats of 
cybercrime that the contemporary society is confronted with necessitate regulation by 
criminal law. As the Governmental Proposal of Finland HE 135/2006 pointed out, the new 
provisions on cybercrime in criminal law will have the function of improving the penal 
protection of electronized information and communications, to provide the authorities with 
more efficient tools to deal with cybercriminality, as well as to improve the legal status of the 
victims of cybercrime.””! 

However, there is neither a ready-made model for every country to follow, nor a uniform 
format for use. Establishment of a set of unprecedented rules for a new phenomenon costs 
more time, money and labour, possibly causing more imbalances between power and rights, 
inconsistency between laws and reality, and contradiction between existing law and new law. 


The process of criminalizing cybercrime is proving to be an arduous task. The information 





*71 HE 153/2006, General Justifications, 4. Effects of the Proposal. 
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age facilitates social transformation and legal diversification; therefore, laws cannot be 
immobilized for too long. This chapter analyses the factors that cause a time-lag in the 
process of criminalization, that cause international differences, and that cause the differences 
between criminal phenomena and legislation. The chapter also illustrates the prospect of 
diversified models and contents of international criminalization and points out its influence on 


international assistance in criminal justice. 


9.2 The time-lag in criminalization 


The criminalization of cybercrime is implemented through the amendment of existing law 
or the creation of new law. Compared with the changing social reality, laws are relatively 
stable. Criminalization is not implemented always as instantly as the transformation occurring 
in cybercriminal phenomena. Change of social condition and criminal phenomenon is 
accelerated by the indescribable innovation of ICT, but the legislating process is limited by 
interest conflict and by continual disputes and debates. The virtually unrestrained 
development of the technological context of society constantly outpaces the restricted 
evolution of the legal system. Although legislatures are apparently more rational than 
criminals in the sense that all people are rational and their choices are different in legal 
matters, rational criminals can at all times act ahead of the more rational legislature. 
Subsequently, the time-lag in legislation is unavoidable. We can identify the following 
primary factors: 

Firstly, criminal phenomena are developing rapidly with social change. The advance of 
modern society is propelled by technological innovation. As a social phenomenon, the 
development of cybercrime is integrated into all ingredients of society. They are changing at 
the same rhythm. Crimes in which information systems play different roles are emerging, 
with an increasingly short cycle. The development of such phenomena is solely limited by 
technological factors but not by human and social factors. While criminal phenomenon is 
dynamic, law is stationary for a short period. Legislation cannot be updated in time to reflect 
the changed social condition. For example, the first computer crime case of the U. S. occurred 
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in 1958, was discovered in 1966, but the first law punishing computer crime was passed as 
late as 1984. Similarly, the first computer crime case in China happened in 1986, nevertheless, 
the earliest provision on computer crime took effect only in 1997 when the Penal Law was 
amended. The one or more decades of time-lag in criminalization indicate that the 
perpetrators of cybercrime have not been sufficiently detected and that the users of computers 
and networks have not been adequately protected during the intervals (see Chapter 8). In 
practice, many other countries than China still have no law or no effective law penalizing 
cybercrime but are full of suspects, perpetrators and conspirators of cybercrime. 

Secondly, unlike most traditional offences that the state proscribed under a clear-cut 
criterion in respect of their harmful nature, many cybercriminal offences involve disputes 
between interest groups, which lead to interest conflicts in criminalization. Criminalization, 
decriminalization, and anti-criminalization interweave in a complex dynamic process. Many 
factors that the legislature must consider and balance have to be taken into account during the 
process of criminalization. In such a process, although the most preferential element is the 
maintenance of social order, the legislature must as well consider issues involving both 
protection of human rights and deterrence of potential crimes. 

The legislature also needs to consider the prospective technological development and 
interests of different players in information society. The ideal practise should be to enact law 
in such a way that illegal activities are punished, while legal activities are protected and 
encouraged. However, the judgment of deciding what is legal and what is illegal is not a 
straightforward problem in modern society. Unlike traditional crimes, mala in se, such as 
murder, larceny, and arson, which have been considered as breach of morality, most of 
modern offences are mala prohibita, that is to say, statutory offences. To determine whether 
to punish an activity or not, increasing consideration is focused on the way the benefit is the 
bigger, to punish or not to punish, or to punish the wrongdoer or to victimize the welldoer. 

In the ICT industry, a universal anxiety is that a strict regulation on activities of 
developers and service providers would hinder the development of technology and the 
economy. They require a comfortable legal environment to carry through their innovative 


strategy. Because ICT represents a new direction of social advancement, the current legal 
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framework apparently leaves an IT industry an adequate discretional space. Therefore, strict 
liability and vicarious liability have not been imposed in this early stage. 

Occasionally, the legislative process becomes a tangle between different interest groups, 
particularly in regulating ICT industry and imposing liability on ICT enterprises. In the strict 
sense of observing the legislative process concerning cybercrime, between public power and 
private right, public power seems the more powerful; between the private rights of institutions 
and individuals, the right of institutions seems more powerful. Forces of a certain interest 
group are powerful enough to oppose and prevent the adoption of a bill. For example, the 
corporate liability of cybercrime confronts a situation in which the Internet service providers 
reject liability imposed by provisions other than the service agreements. On the other hand, 
evidence has proved that search engines are cooperating with governments in censoring 
online contents, messages, and monitoring activities worldwide. Supplementary of explicit 
responsibility and liability for Internet enterprises will be a reality eventually. However, at 
present, it will take more time to weigh the interests of the public and private sectors, between 
the individual and organizational players, and between service providers and consumers. 

Thirdly, legislation is relatively stable. It is stabilized by the legislature in an arduous 
lawmaking process: drafting, debating, revising, lobbying, voting, and signing into law. The 
process of legislation lasts long enough to maintain stability — a status of remaining 
unchanged before successive legislatures over time, during which period victims and law 
enforcers are waiting for legal amendment, while perpetrators are going unpunished. Each 
new criminal phenomenon has to be discussed and argued for a long time before clearly 
defining its concept, constituents, categories, scope, degree, and suitable punishment. 
Legislation has to be drafted carefully and debated intensely before it can be passed so as to 
ensure the seriousness and stability of the legal system. Special care should be taken in the 
process of criminalizing cybercrime. A law that cannot balance between interests and benefits, 
human rights and state powers, cost and effectiveness is not necessarily better than unruliness. 
The legislation on cybercrime, therefore, has always been a long-term task. 

With a better understanding of cybercriminal phenomena, the countries that have passed 
laws first may be modelled on by other countries. The country that legislated later may have a 
better basis in terms of availability of either cases or materials for reference, and thus their 
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process of legislation may be shortened. When we read the laws of some English speaking 
Commonwealth member countries, we can find that the provisions in their law are usually 
modelling the U. K. law. The legislation resources of these countries have naturally been 
time-, cost- and labour-saving. However, this represents only a special example. For most 
countries, there is not such a model to follow. When a model law is translated into other 
languages, when the spirit of such a model law is expressed by a set of different conceptions, 
and when the contents are understood by people with different legal traditions and social 
backgrounds, these countries again will “create” different versions of laws. The impossibility 
of a worldwide model law naturally increases the difficulty of drafting appropriate legislation. 

The discussion about criminalizing cybercrimes is further interwoven into the 
argumentation about the reform of criminal policy. The humanitarian tendency of modern 
criminal policy is accompanied by a decriminalization of victimless offences in many 
countries, including the retreat of criminal law from areas of conduct relating to alcohol, 
drugs, sex, and gambling (Feldman 1993, p. 4). At the same time, the increasing influence of 
scientific and industrial advances on human safety and social security hastens the 
criminalization of new types of crimes (Feldman 1993, p. 5). The process of identifying 
various cybercrimes is inevitably complicated by a changeable and unsolvable disputation on 


social values. This further prolongs the legislative cycle. 


9.3 International differences in criminalization 


Whereas cybercrime is possibly trans-territorial, the problem of deterring cybercrime 
must be considered against the international background. The commonness and individuality 
of the legislations in various countries influence transnational investigation and conviction of 
cybercrime. However, the central concern is that criminalization also meets the problem of 
differences between countries in the selection of technical terms, classification methods, and 
provision of constituents, promulgation of penalties, divergence of jurisprudential notions, 


and diversity in the validity of the laws. The most significant factors include: 
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First, conceptualization is the starting-point of any legislation, which should include 
well-defined terminologies. Within legislation in a domestic language, obstacles will not be so 
large that understanding and comparison become a problem. However, in the international 
context a semiotic issue emerges as an implicit dynamic to create legislative differences. This 
question can be translated into the differences in comprehending the exact meanings of 
technical terms. The differences between traditional conceptions and native languages 
determine the differences between the technical terms used in the legislation, apart from the 
problems of the multiplex informal wordings. To measure these differences, when we try to 
translate these terms from different languages into one language, the meaning of the original 
terms may change a lot. From the nature of language and translation, exact comprehension of 
these terms in a benchmark language is not possible. Only a rough approximation in 
understanding is available. 


In the case of cybercrime law, the general name of “cybercrime” can also be expressed as 


99 66 99 66 99 66 99 66 


“computer abuse,” “computer misuse,” “computer crime,” “computer-related crime,” “crime 


99 66 99 66 


by computer,” “computer-facilitated crime,” “hacking,” “Internet crime,” “online crime,” etc. 
in English alone. There are as many different terms denoting “cybercrime” in some other 
languages as well. 

Furthermore, the linguistic difference exists in every aspect of describing the 
phenomenon of cybercrime. In English-speaking countries, the mens rea of illegal access is 
prescribed as “intentionally” in Australia and New Zealand, but as “knowingly” in the U. S. 
These two words are explained in most dictionaries as synonymous, that is, as “deliberately.” 
However, if we translate these two words into other languages, for example, Chinese, the 


39 


understanding of them would be different. “Intentionally” is generally translated as a term 
with the meaning of “doing deliberately, doing actively’, while “knowingly” is generally 
translated as the term with the meaning of “doing when knowing clearly.” The emphases in 
them are different. 

Secondly, legislation in different legal systems, such as in the Common-law system, the 
Roman-German law system, the Scandinavian law system, the Islamic law system, the 
Chinese law system, etc., and in different countries of a certain legal system, are determined 


by many factors, such as culture, religion, regime, etc., to create a unique typology of 
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cybercrime. Therefore, there is a reality of typological differences, which exist in the 
categorization of cybercrimes when criminalized. Only laws in a few countries have a full 
coverage of cybercrimes, such as the U. S. Most countries have criminalized some of the 
publicly recognized offences, such as illegal access to information systems, online fraud, etc. 
Some other countries implement very principle-bound provisions, such as Myanmar, where 
severe punishment is imposed on any person who carries out an act “which undermines State 
Security, prevalence of law and order and community peace and tranquillity, national unity, 


the State economy or national culture.”?” 


In many countries, there is totally no law 
regulating cybercrime. These countries are not able to cooperate in law enforcement due to 
the lack of relevant provisions in their substantive laws. Under such circumstances, it is 
impossible for these countries to cooperate successfully in investigating an urgent cybercrime 
case. Even if they have an extradition and assistance mechanism, the substantive law obstacle 
makes it impossible to take any trans-border action against a trans-border offence. So if the 
laws are different, the requirement of “double criminalization” should be eliminated, as it was 
done in the Council of Europe Convention on Cybercrime. 

Thirdly, differences exist in prescribing the constituents of cybercrimes. Besides different 
technical terms and varied definitions of the scope of the coverage, differences between the 
constituents of a certain offence in different countries are also likely to pose obstacles for the 
international harmonization of legislation and for the cooperation of law-enforcement 
agencies. The Convention on Cybercrime is a model of international implementation, but in 
granting member states discretion in deciding whether they intend to criminalize certain kinds 
of offences, or in requiring certain kinds of constituents for a certain offence, it may leave 
loopholes in the legislation at the state level. The EU Framework Decision on Attacks against 
information systems (12 May, 2003) correctly recognized that: 

“There is a need to achieve a common approach to the constituent elements of criminal 
offences by providing for common offences of illegal access to an information system, illegal 


system interference and illegal data interference.” (Preamble (11)). 





*72 Myanmar Computer Science Development Law, The State Law and Order Restoration Council 
Law No. 10/96, The Eighth Waxing of Tawthalin, 1358 M.E., 20 September 1996. 
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Fourthly, differences exist in the legal penalties for cybercrimes. Traditional principles of 
penal law require that the severity of penalties matches the seriousness of the offences: light 
penalty for a light offence, and severe penalties correspondingly for a serious offence. 
However, the situations in different countries are very diversified. An offence may be 
regarded as the most serious threat to public order in one country, while in other countries it is 
thought to be minor nuisance. 

The laws of different countries are also likely to provide penalties of different gravity for 
the “same” cybercrime. The difference between penalties may be caused by such factors as: 
the difference in the traditional starting-point and in the range of punishments in the entire 
penal law as well as in the difference between attitudes towards the harmfulness of 
cybercrimes. In each country, if a cybercrime involves harm to the state interest, it will draw a 
more severe penalty. For example, espionage has always been punished by the most severe 
penalty. However, as far as common cybercrimes are concerned, between the different 
countries, the starting-point of the penalty may clearly differ. Many countries provide 
imprisonment of from two months to several years for different offences or different 
circumstances of the same offence. In some countries, the penalty is more severe. For 
example, in Mauritius, the penalty for computer misuse is penal servitude for a term not 
exceeding 10 years and a fine not exceeding 100,000 rupees; in aggravated circumstances, 
that is, when the data contained in the computer is suppressed or modified or the operation of 
the computer is altered, the penalty will be penal servitude for a term not exceeding 20 years 
and to a fine not exceeding 200,000 rupees.” In Singapore and the U. S., imprisonment for 
not more than 20 years is also possible for a cybercrime.*”* 

Fifthly, Chapter 3 Section 3.2.4 discussed the fact that differences exist between notions 
concerning online content and activities. Jurisprudential conceptions in each country are 
unique and incomparable, particularly concerning what constitutes a cybercrime and what 
does not, and what kind of a situation draws a severe or light punishment, etc. In China, 


offences against state security are of great concern to the criminal-justice system. If messages 





73 The Mauritius Information Technology (Miscellaneous Provision) Act 1998, Act No. 18 of 1998, 


Penal Code Section 369A. 
4 18US.C. § 1030 (c) (4) (C). 
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were published online involving propaganda and instigation upsetting state security, author 
and publisher are both held liable. Similarly, in some other countries, racist, fascist, and hate 
speech are strictly censored and prohibited. However, some other countries where these 
messages may be protected by clauses on freedom of speech according to their state 
constitutions. These differences make trans-national prosecution and international assistance 
impossible. International actions are certainly intended to eliminate differences. Nevertheless, 
these actions will certainly be resisted by tradition, which may not be expressed in explicit 
language. 

Sixthly, laws have their own lives. Let us borrow the legal realists’ concept about law in 
the book and law in action. A Law in a book may seem excellent, but that law in application 
may cause embarrassment. Differences exist between the validity of laws. The problem is that 
cybercrime havens not only exist in countries without law, but also exist in countries with 
laws. That is to say, law and law enforcement have different functions and play different roles 
in different countries. Some countries strictly adhere to the principle of legality where neither 
the innocent is punished nor the criminal connived at. In some other countries, laws are not 
uniformly enforced at this time or that time, upon this person or that person, in this case or in 
that case, and by this agency or agent or by that agency or agent. While cybercrime is not 
territory-bound, law enforcement is always territorial. The legislation gap is worsened by the 


law-enforcement gap. 


9.4 Differences between criminal phenomena and criminalization 


The criminalization of cybercrime is also different from the actual criminal phenomena 
due to the limited coverage of legislation, the changeability of categories and methods of 
cybercrime, the influence of a changing constitution on legal constituents, and the influence 
of a changing sense of gravity on the legal penalty. The main differences comprise: 

Firstly, that criminalization has a limited coverage compared with criminal phenomena. 
While the change of cybercriminal phenomena is very fast, coverage of criminalization is 
always limited to existing offences. In other words, criminalization is bound by the reality of 
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a relative fixed period, but the phenomenon is not bound by this reality. The scope of 
cybercrime is constantly extending, with unexpected tendencies and an uncertain future. 
Legislation has only a limited capacity to predict. Once passed and enacted, legislation will 
commence to have an increasingly longer distance from the reality. In the face of a rapid 
development of cybercrime, the coverage of legislation will soon become narrower than the 
reality. 

Secondly, categories and methods of cybercrime are changeable, while laws are relatively 
stable. Categories of cybercrimes are changing and sometimes difficult to grasp during the 
preparation for a legislative bill. Definitely, this does not mean that there will be new 
categories or methods everyday or every month. It does mean that the update cycle of 
categories and methods of cybercrime is faster than the possible update cycle of the law. In 
some cases, new categories emerge or new methods are used suddenly, without any omen and 
warning. In recent years, the most shocking events in real society may be the 9/11 attacks on 
the U. S. In incidents relating to information systems in the virtual world, the breaking out of 
the viruses has a similar effect. For example, the Philippine boy who created the Love Bug 
exploited his motherland’s legal gap at large.” Although sometimes a technological reaction 
against a new virus can be in place several hours after the attack has commenced, and at other 
times legislation on a new cybercriminal phenomenon can be drafted in several weeks, there 
is still a time-lag, that is, the difference between the time of the attacks and the time it takes to 
change the law. 

Several years ago, when action was taken to prevent computers from infecting viruses, a 
major concern was to be careful not to open a floppy disk with contaminated files or e-mail 
with an attachment containing viruses. The reliable countermeasure was to impose 
responsibility on the operators to check viruses before opening a disk or an e-mail. Those who 
failed to do so were subject to a charge of negligent liability. After several years, floppy disks 
are no longer the major medium for spreading viruses. The e-mail remains the primary 


spreader, but most service providers are armed with an automatic examination system and 





* The suspected virus author was Onel de Guzman, who escaped prosecution due to the absence of 


cybercrime law in the Philippines when the offence was committed. See Graham Cluley, Cybercrime 
and Punishment, Computer Weekly, 29 November 2001. Retrieved 15 March 2007, from 
http://www.computerweekly.com/Article108188.htm 
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classify clean e-mails and contaminated e-mails for users. When there is a contaminated 
e-mail, the automatic system will delete it and user cannot open it any more. Therefore, the 
operators’ liability seems less critical in this case. The obligation and subsequent liability on 
the service provider become urgent. Similar examples in the field of cybersecurity and 
cybercrime should be carefully considered in legal reforms. 

Thirdly, the seriousness of cybercrime changes fast and has its influence on the legal 
penalty. The traditional principle of criminal law requires that punishment be proportionate to 
crime. When a kind of offence initially emerges, its gravity cannot be recognized in its 
entirety at first. If a law does not have the full coverage of the gravity of the situation, it may 
be faced with the need for an urgent amendment after a short period of enactment. A notable 
example is the denial of service attacks. This term became popularized only in recent years 
due to the distributed denial of service attacks. However, the term can be found in books 
published more than two decades ago. That is to say, denial of service had less harmful forms 
and less conspicuous effects. Countless losses and the danger of bankruptcy for giant online 
enterprises gave publicity to this fatal offence. If the previous law did not even contain a 
clause to punish the offence, the legislature has to take action to penalize it. If the previous 
law contained a clause to punish the offence with a lighter penalty, the legislature has to 
penalize it more severely. The law must be adapted to the development of social 


requirements. 


9.5 Diversified criminalization models 


Everything concerning criminal law, specifically, defining, classifying, grading, 
prohibiting, and punishing, is in the hands of the legislature of each jurisdictional unit. 
Criminal law has struggled to keep up with the expanding technologies of cyberspace (See 
Lessig 1999; Katyal 2001). More and more countries in the world have enacted computer 
security laws and statutes, starting though from different viewpoints. Cybercrime is treated as 


a special type of crime and special statutes are required to define cybercrimes (Brenner 2004). 
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The criminalization of cybercrime may possibly take one or more of the following legislative 
forms. 

The first model is that of an international treaty, which was accepted in some countries 
before their criminalization of cybercrime. International treaties in the field of criminal law 
achieved several goals in criminalizing international and trans-national offences. The adoption 
of the Convention on Cybercrime and other corresponding treaties represents the integration 
of world cybercrime law. Forty-three countries signed the Convention, and 19 of them have 
ratified or accessed it.””° The Convention took into effect from 1 J uly 2004. Before the U. S. 
ratified the treaty, all member countries were located in Europe and represented a small 
geographical area and a small demographic figure. In order to eliminate safe havens for 
criminals, an increasingly broad consensus at the international level is being achieved. 

The second model is that of a penal code. Countries with penal codes punish cybercrime 
either through an old law to deal with new offences, or through interpreting and revising the 
old law to create new offences. These enable these countries to perfect their penal codes. The 
most developed countries completed the criminalization process in the 1980s; while 
developing countries and less-developed countries completed the process a decade or so later. 
Currently, many penal codes in the world incorporate provisions on cybercrime, such as those 
of Austria, Azerbaijan, Belgium, Byelorussia, Canada, China, Colombia, Croatia, the Czech 
Republic, Denmark, Estonia, Finland, France, Georgia, Germany, Greece, Hungary, Iceland, 
India, Italy, Japan, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Malta, Mexico, Mongolia, the 
Netherlands, Norway, Peru, Poland, Russia, Slovakia, Slovenia, Spain, Sweden, Switzerland, 
Tajikistan, Tunisia, Turkey, Turkmenistan, Ukraine, and Uzbekistan, etc. 

The third model is that of a criminal statute. Countries with or without criminal codes 
usually enact criminal statutes to create specific offences in order to fill legislative and 


judicial gaps. For example the following legislations: 





*716 These countries are Albania (date of entry into force: 1 July 2004), Armenia (1 February 2007), 


Bosnia and Herzegovina (1 September 2006), Bulgaria (1 August 2005), Croatia (1 July 2004), Cyprus 
(1 May 2005), Denmark (1 October 2005), Estonia (1 July 2004), France (1 May 2006), Hungary (1 
July 2004), Iceland (1 May 2007), Lithuania (1 July 2004), the Netherlands (1 March 2007), Norway 
(1 October 2006), Romania (1 September 2004), Slovenia (1 January 2005), and the Former Yugoslav 
Republic of Macedonia (1 January 2005), Ukraine (1 July 2006), and the U. S. (1 January 2007). See 
Council of Europe Web site, http://conventions.coe.int/ 
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The Cybercrime Act of Australia, 

The Computer Misuse Order of 2000 of Brunei Darussalam, 

The Law on Automated Data Processing Crimes no. 19.223 of Chile, 

The Law No. 679 of 2001 on Abuse and Pornography of Minors on the Internet of 
Colombia, 

The Criminal Justice (Theft and Fraud Offences) Act 2001 of Ireland, 

The Criminal Damage Act of Ireland, 

The Act of Unauthorized Access to Computer Systems and the Internet of Japan, 

The Act of 15 July 1993 relating to the reinforcement of the fight against financial crime 
and computer crime of Luxembourg, 

The Computer Crimes Act of Malaysia, 

The Computer Misuse and Cybercrime Act 2003 (Act No. 22 of 2003) of Mauritius, 

The Crimes Amendment Act 2003 No 39 Part 1 s 15 of 7 July of New Zealand, 

The Commonwealth Cybercrime Act 2001, 2002, 2004 of Pakistan, 

The Prevention of Electronic Crime Act 2007 of Pakistan, 

The Criminal Information Law 1991 of Portugal, 

The Computer Misuse Act of Singapore, 

The Computer Crime Act 2003 of Sri Lanka, 

The Computer Misuse Act of 2000 of Trinidad and Tobago, 

The Cybercrime Law No. 2 of 2006 of United Arab Emirates, 

The Computer Misuse Act of the U. K., 

The Police and Justice Act 2006 Chapter 48 (November 2006) of the U. K., 

The Computer Fraud and Abuse Act of the U. S., 

The Special Statute against Computer Related Crimes of Venezuela, and 

The Computer Misuse and Crime Act 2004 of Zambia, etc. 

In countries with penal codes, the criminal statutes can also revise the general provisions 
of the penal code in the meantime and fulfil the process of criminalization. 

The fourth model is that of inserting criminal clauses into non-criminal statutes. In these 
non-criminal statutes, the legislature usually binds several criminal-law clauses together so as 
to criminalize cybercrimes. With its emphasis on efficiency in legislation, this form of 
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criminal-law reform has been widely taken up by more and more countries, for example, in 
China, the Standing Committee of National People’s Congress passed Decisions on 
Maintaining Internet Security in 2000, criminalizing a wide range of cybercrime. The 
Personal Data Protection Act 2000 of the Argentine, the Privacy Act of Austria, etc. also 
include criminal clauses. In many other countries, some kinds of data protection laws were 
implemented early in the 1970s and thereafter, partly covering punishment for deviant 
behaviour against automated data processing. 

The fifth model is that of legal interpretation. The application of law requires 
interpretation. The power of interpretation, nonetheless, is generally distributed between 
different agencies, for example, the legislature and judicature, which can interpret laws 
effectively for different situations. In some countries, there is no specific process for law 
interpretation. Laws are only interpreted by the courts in particular cases. Therefore, judicial 
interpretation is combined with court decisions. In some other countries, regardless of 
whether the precedents have binding force or not, independent judicial interpretation is 
exercised by the Supreme Court and Supreme Procuratorate.””’ These organs publish special 
documents to interpret specific problems in applying the laws and regulations made by the 
legislature. In China, in order to punish cybercrime, the Supreme People’s Court ruled in 
2001 that capital punishment may be applied to those who provide state secrets to foreign 
individuals or institutions via the networks and cause particularly serious harm. Sometimes, 
laws are criticized because of the vagueness of the legislative language used. For example, in 
the U. K. law, key words like computers and data have not been defined under the Computer 
Misuse Act of 1990.The worry is that such deliberate omissions may lead to incorrect 


decisions, which may complicate the existing problem. 





*” For example, in China, according to the Standing Committee of the National People’s Congress 


Resolution on Reinforcing the Task of Legal Interpretation (passed in the 19" Session of the Standing 
Committee of National People’s Congress on 10 June 1981), the Standing Committee of National 
People’s Congress is responsible for interpreting laws and decrees, while the Supreme Court and the 
Office of the Supreme Prosecutor are responsible for interpreting issues arising in the practical 
application of laws in the trial work of the courts and procuratorial work of procuratorates separately. 
If the interpretations of the Supreme Court and the Office of the Supreme Prosecutor show differences 
in principle, the issue has to be reported to the Standing Committee of the National People’s Congress 
to interpret or decide. 


268 


The sixth model is that of using judicial precedents on cybercrime. Common-law 
jurisdictions follow the principle of stare decisis. Precedent decisions have a binding force for 
the cases decided thereafter. Criminal-law reform is largely propelled and achieved by these 
decisions. Such decisions are closely linked to the interpretation of laws and regulations. 
Precedential decisions usually lead to the application of laws and regulations. A decision can 
also lead to the repeal of laws by claiming that they are unconstitutional. Therefore, 
precedential decisions can also lead to the exclusion of certain laws and regulations, as in the 
cases where some of the U. S. online crimes acts were challenged and finally removed by a 
court decision.””® 

The seventh model is that of administrative-law provisions relating to the criminalization 
of cybercrime. Provisions and orders promulgated by administrative organs constitute a part 
of the criminalization system of cybercrime at least in some countries. These provisions and 
orders provide definitions of terms used in legislation, and conditions under which certain 
conduct is legal or illegal, and sometimes, create a “link” between cybercrime and a separate 
article of a clause containing penalties in legislation. In China, the State Council promulgated 
the Ordinance on Security Protection of Computer Information System in 1994.°” The 
Ordinance prescribed legal liability for an act of: 

Violating the security-ranking protection systems of computer information systems, and 
threatening computer information systems; 

Violating the registration system of computer information systems in international 
networking; 

Not reporting cases within the prescribed time that have occurred in the computer 
information systems; refusing to improve after receiving a notice from the public security 
agency requiring an improvement in the security situation; and 


Other acts threatening computer information systems.”*° 





*78 For example, in several cases, the courts found that the term “indecent” in the U. S. 


Communications Decency Act of 1996 was unconstitutionally vague or that the CDA was 
unconstitutionally overbroad. See Satterlee Stephens Burke & Burke LLP, Obscenity and Pornography 
on the Net, n.d. http://www.ssbb.com/obscen.html 

* Ordinance on Security Protection of Computer Information System, State Council Decree No. 147, 
18 February 1997. 

*80 Tbid, Chapter 4. 
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These acts are punishable by public security for admonition or rectification upon stopping 
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the computer.~ If the act violates the public-security system, it is punishable according to 


the Regulations on Public Security Management; if the act constitutes an offence, it falls 
within the Penal Law.” 

The eighth model is that of comprehensive legislation. This model has similarities with 
the criminal clauses in non-criminal law. However, this model is more comprehensive than 
the above non-criminal law. The distinction between these two categories lies in that 
non-criminal laws primarily deal with the protection of rights or maintenance of social order, 
and the punishment of deviant behaviour, while the comprehensive laws deal with issues 
relating to the facilitation of certain activities, protection of rights and maintenance of social 
order and punishment of deviant behaviour with emphasis on the facilitation. 

Currently, some countries and regions are implementing comprehensive laws in order to 
solve legal problems in cyberspace. Among these laws are: 

The Electronic Transactions Act 1999 of Bermuda, 

The Telecommunications Act 1999 of Bhutan, 

The Law 67/2002 on Electronic Commerce, Companies and Data Messages of Ecuador, 

The Multimedia Act of Germany, 

The Telecommunication Ordinance of the Hong Kong Special Administrative Region of 
China, 

The Information Technology Act 2000 of India (No. 21 of 2001), 

The Computer Law of Ireland, the Computers Law 1995 of Israel, 

The Information Technology (Miscellaneous Provision) Act of Mauritius, 

The Electronic Commerce Act of Malta, the Electronic Transaction and Digital Signature 
Act 2004 of Nepal, and 

The Electronic Communications and Transactions Act of South Africa (Act No. 25, 
2002). 

The Multimedia Act of Germany is one of the examples of comprehensive legislation. 


Judged by the content of German law, it is all-inclusive, covering telecommunications service, 





81 Thid, Article 20. 
8? Ibid, Article 24. 
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digital signature, criminal punishment, breach of order, legal liability, distance learning, and 
price indication etc. Since the Internet technology is still developing, new legal problems are 
endlessly emerging; the Multimedia Act of Germany will definitely be under constant 
revision in the future. 

A better example of such comprehensive law is the Philippines Republic Act No. 8792, 
titled “An Act Providing for the Recognition and Use of Electronic Commercial and 
Non-Commercial Transactions, Penalties for Unlawful Use Thereof, and Other Purposes.” It 
directly reveals its comprehensive nature. 

Although the original idea of multimedia law regulating cyberspace problems belonging 
to different legal branches by comprehensive legislation is a welcome development, it cannot 
be accepted by most countries due to the sheer inability of bridging the complexity and 
technological nature of cyberspace problems. At present, the usual practice of countries is 
either to interpret current laws, to revise current laws, or to create new laws. After long-term 
studies and research, the U. S. enacted a digital signature act, a public-networks maintenance 
act, an encryption-technique protection act, a prohibition of electronic theft act, as well as a 
series of acts criminalizing cybercrimes. Where there is a requirement to revise a law, only 
corresponding articles and clauses require revision, but the whole law does not require to be 
changed. In contrast, the project of a finalized comprehensive legislation is too huge and the 


revision is difficult. 


9.6 Conclusion 


Information systems and the criminal phenomena relating to them have and will have a 
deep impact on the legal system. Along with globalization, legislative activities have been 
expanding to almost all countries. Effective international countermeasures are also being 
implemented by different international organizations. International harmonization, 
particularly the European Convention on Cybercrime, contributes greatly to forming a greater 
consensus in respect of the legislation of relevant countries. 

Differences in types and corpus delicti of offences provided in different countries cover 
the subject, object, mens rea, actus reus, and other conditions. Crucial divergence in 
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substantive criminal law still obstructs a trans-national criminal justice. It is believed that 
heavier penalties are better able to combat crimes. However, the situation in the world is 
becoming more complicated, because under a certain similarity in the theoretical framework 
and laws, there are also varying definitions of a detailed nature that greatly influence the 
identification and punishment of offences. 

The legal traditions, cultural contexts, ideology, and international relationships all 
constitute difficulties in coordinative international-law enforcement. There is still a necessity 
for cybercrime legislation. Either old law or new law, either domestic legislation or 
international harmonization should be used to meet social requirements and fill legal gaps. 

The discussion in this chapter demonstrates that the criminalization of cybercrime, both 
over time and over space, is still developing and improving. Two of the most significant 
issues must be tackled with priority: liability and jurisdiction. The following two chapters 


will discuss these two questions separately. 
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CHAPTER 10. LIABILITY FOR CYBERCRIME 


10.1 Introduction 


Crime induces a reaction, the liability that people impose on this phenomenon through 
established forms of law enforced by state agencies. Criminal law is an entity subject to 
incessant changes, depending upon the competing process of two opposite factors, crime, 
which represents a socially destructive force, and deterrence, which represents a socially 
constructive force. Consequently, criminal law is not composed of exactly the same 
components such as existing offences and punishments between one year and another, though 
the system remains the same. The change has usually been gradual so that no obvious 
difference can be perceived except over long intervals of time. 

However, present society is undergoing so rapid a change through ICT that an obvious 
comparison can easily be found. Different roles of information systems in cybercrimes and 
different motivations of criminals make the phenomenon extremely wide in quantity and 
diversified in forms. The deterrent effect should be achieved by various liabilities. Criminal 
liability being certain (Lehtonen 2000a), the previous research on the liability of cybercrime 
has also focused on justifying the possibility of civil remedies (Drummond and McClendon 
2001, Bequai 1983, pp. 225-233). 

This chapter will analyse the feasibility of different forms of possible liability for 
cybercrimes. The feasibility is to be established upon the following considerations, firstly 
concerning the effectiveness of the liability in eliminating the incentives of the potential 
perpetrators as mentioned above and elsewhere by many others. Another consideration is that 
of concentrating on the enhancement of the mechanism of traceback as explained in Chapter 4 


Section 4.5. 


10.2 Criminal liability, civil liability and administrative liability 
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In imposing sanctions on cybercrimes, alternative liabilities may be any of the three kinds: 
criminal, civil and administrative liability. Criminal liability is the most common choice; 
importance of civil liability is increasing; while administrative liability has only a limited role 
in combating cybercrime. 

The justification for criminal liability must refer to the reasons for imposing a penalty. 


Since Jeremy Bentham,” 


criminal science has been built up on the supposition of crime as 
rational behaviour. People prefer committing crime to behaving legally because the gain from 
illegal activities is bigger than that from legal activities. Becker (1968) developed the theory 
from the viewpoint of the economic analysis of crime. Criminals are supposed not only to be 
rational, but also calculating. Imposition of punishment is to raise the expected costs and 
diminish the expected benefits of crime. When detection counterbalances the benefits, the 
potential perpetrator would give up crime. In order for the punishment to deter crime, severity 
of penalty should be fully taken into account to supplement the insufficient probability of 
detection and conviction (see Becker 1968). 

These deliberations only give half the answer. The fact is that many other criminals are 
hardly rational, and are not really calculating, either. So traditional deterrence can work only 
in the case of rational criminals, but cannot work against irrational criminals. 

Punitive liability is based on the proportionate principle, that is, the penalty should equate 
with the severity of an offence. The complete contents of the proportionate principle include 
the following aspects: that all offences should be punished, while a non-offence should not be 
punished; a serious offence should be punished with a severe penalty, while a less serious 
offence should be punished with a less severe penalty; accomplices in complicity should be 
punished according to their roles in the offence. 

It has been assumed that the purposes of imposing criminal liability fall into two 
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categories, that of special deterrence and that of general deterrence.“”’ In the case of 





*83 ‘The utilitarian philosopher, holding that pleasure is the chief end of life and that the greatest 


happiness for the greatest number should be the ultimate goal of human beings. 
*84 Claimed by Cesare Beccaria in Crimes and Punishment (1764). See, for example, Levinson (2002), 
pp. 512-513, for a detailed introduction. 
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cybercrime, criminal liability is definitely the choice that has priority.”*° The effectiveness of 
deterrence depends on the severity of punishment and the probability of conviction (Becker 
1968). The probability of detection and conviction is limited by the characteristics of 
cybercrime. It is possible to raise the probability of detection, but it requires an increasing 
investment of both money and human resources on law enforcement (Mermin 1973, pp. 
14-20). Even if investment is increased, the probability of detection cannot be 100 percent. In 
fact, the probability of detection in cybercrime has been very low, due to the preference and 
ability of both criminals and victims to hide their crimes (see Chapter 7, Section 7.8-7.10). 
Another way to increase deterrence, however, is to aggravate punishment. The severity of 
punishment is also subject to limitation by recognition of certain factors, of the seriousness of 
the offence, of humanitarianism, as well as of the cost of punishment, particularly 
imprisonment. Instead of imprisonment, if a substantial sum of a penal fine were imposed, 
and the criminal’s financial situation could not meet the requirement, the actual enforcement 
might be impractical. It is, therefore, difficult to say whether fine could act as a complete 
substitute for imprisonment. In consequence, it may be argued that, the effectiveness of 
criminal liability is important but limited. At the same time, criminal liability alone does not 
provide any remedy for the victims, who in many cases suffer more or less losses. 

In addition, although criminal law can cover negligent and strict liability, the current laws 
generally criminalize only intentional cybercrimes. While there is a concern about 
undercriminalization, critics have also argued that overcriminalization may happen. Besides, 
it is still disputable as to whether their activities should be criminalized. 

It is possible to say that civil liability is a necessary remedy to cover the insufficiency of 
criminal liability, even though it is designed primarily to provide a remedy for the victims. 
Civil liability is not a substitute for criminal punishment. If criminals only bear civil liability, 
the effectiveness of deterrence will mostly be absent. Civil liability thus plays a weaker role in 
deterrence than criminal liability. However, it has a strong function in providing a remedy for 
the victims by making the criminals pay. By doing so, civil liability can compensate at least 


for a part of the victims’ losses, and can reduce the gain of the criminal from cybercrime. If 





*85 The author wishes to impose a caveat about the view that it is time to abolish punishment and 
prisons as uncivilized. 
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there is a civil liability, potential perpetrators will inevitably consider it more expensive to act 
illegally. Laws in many countries have imposed civil liability. For example, the U. K. 
Copyright, Designs and Patents Act 1998 provides civil remedies to compensate victimized 
intellectual property rights holders and for other copyright offences included in Section 107. 
In addition, by holding the third parties liable, civil law in many countries allows a victim to 
recover losses from third parties if their negligent or intentional act has caused the loss 
(Kenneally 2001, p. 63). In cyberspace, third parties may be the only source of recovery. 
The direct effect of third party liability is that it creates incentives for the parties to invest in 
maintaining effective security protection. However, as we mentioned above, the deterrence of 
civil liability should not be expected to be too effective. Civil liability is confronted with the 
same problem of the low probability of detection. If the probability is too low, civil liability 
will also be ineffective. 

In order to maximize the effectiveness of the deterrence, criminal liability, civil, and 
administrative liability should be imposed simultaneously. The criminal should be held to be 
liable on all three grounds. In addition, other individuals and corporations should be held 
liable for relevant behaviour in the same case. These should include personnel in charge of 
management who have abused their duties, intermediaries who have failed to provide 
reasonable supervision of criminal users and protection for victim users, and manoeuvred 
third parties who have failed to protect their own systems and failed to prevent their systems 


from being used in attacks against others. 


10.3 Individual liability and corporate liability 


The subjects (perpetrators) of cybercrime can have different combining forms: a simple 
individual, several unorganized individuals, several organized individuals, and a corporately 
organized form. When only one individual is involved in the case, liability is limited to this 
person only. When more than one individual are involved in the case, they may form 
conspiracy, gang, or organized crime ring. In traditional criminal-law theory, these 
cybercrimes of different organizing structures may still induce individual liability. However, 
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the liability of each individual may be determined by the role that this person has played in 
the illegal activities, including being a principal, aider and abetter, leader, organizer, etc. 

It is possible that cyber conspirators are distributed in different places (cities, provinces 
or countries), and communicate and commit the crime with the help of the Internet. The 
trans-territoriality of this kind of crime makes it complicated to investigate and hold the 
conspirators liable. 

When a great number of individuals commit a crime, the opportunity of impunity 
becomes bigger (Radzinowicz and King 1977, p. 44). Cyber gangsters are not necessarily 
more organized than other conspirators are. However, they may be more widely dispersed and 
operating on a larger scale. Hactivists may be classified into this category. At the same time, 


gangs in the traditional sense can be formed with the help of the Internet.*° 


Pure cyber gangs 
may not only be organized through the network but also commit offences online. 

Organized cybercrime, cyber terrorism, and cyber war are also possible. After the 9/11 
attacks, individuals, organizations and governments all over the world became aware of future 
threats in cybersecurity. Brenner (2002) explored the problem of possible influence of 
cyberspace on criminal organizational forms. Many commentators have also written and 
reported about cyber terrorism and cyber war. In cyber terrorism, cybercriminal organizations 
should be held liable. In cyber war, even a state may be involved in an international offence 
and be criminally liable. 

Corporations are increasingly the actors in the new social structure (Coleman 1990). 
Individuals are the necessary ingredients of corporations but corporations are different from 
organized individuals in that the organizing form of the former is subject to a legal character. 
Corporate liability is disputable even in the framework of traditional criminal law. However, 
the tendency is that an increasing number of countries adopt the theory and practice of 
corporate crime. It is natural that corporate cybercrime should also be held liable through 
criminal-law reform in response to the new criminal phenomena. According to the U. S. 


Department of Justice (2003),”*’ Article 12 of the Convention on Cybercrime and the 





*86 Eastday, Four Liaoning Cyber Friends Allied Robbing Taxi, Killing Driver and Burning Corpse, 18 


March 2006. Retrieved 15 March 2007, from 
http://news.eastday.com/eastday/node7984 1/node79860/node124570/userobject1ail922624.html 
*87 U. S. Department of Justice. Frequently Asked Questions and Answers-Council of Europe 
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Explanatory Report paragraphs 124-125 provide that only if a person’s act constitutes an 
offence under traditional principle of corporate liability, may the corporation face criminal, 
civil or administrative liability. Mere users’ actions are excluded from corporate liability. 
According to the Convention on Cybercrime, corporate liability is established based on the 
individual or organizational activities of a natural person who holds the power of 
representation of the legal person, who has an authority to take decisions on behalf of the 
legal person, or an authority to exercise control within the legal person.**® Upon ratifying the 
Convention, individual countries shall have to implement its provisions concerning the 
liability of legal persons for some of the cybercriminal offences originally absent from their 
own national law.**’ Besides Internet service providers, there are many other corporations 
engaged in online activities associated with the relevant obligations. Corporate liability can be 
of a particular severity, for example, in the U. K., corporate criminal liability can result in 
penalties on companies and their directors of unrestricted fines and less than two years of 
imprisonment. The same spirit of the law can well be extended to these corporations and 
possibly impose liability on them. Bearing in mind what has been said previously in Chapter 8, 
we now indicate the legal remedy that can be used resolving the underlying problems 


envisaged earlier. We therefore turn to the remedy of liability for damage. 


10.4 Liability based on law and liability based on contract 


Before liability for cybercrime is imposed, law or contract might provide obligation or 
responsibility. The liability comes from a breach of law or contract in the form of the 
commission of a proscribed act or the omission of a prescribed act. 

Law prohibits cybercrime. Committing a cybercrime must induce liability. However, the 


law does not run concurrently with the development of technology. The concern of liability 





Convention on Cybercrime, November 2003. 

88 Council of Europe, Article 12.1, Convention on Cybercrime, Budapest, 23 November 2001. 

8° HE 153/2006, Detailed Justifications, 1. Contents of the Convention and its Relation to Finland’s 
Legislation, Part II National Measures. 
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must be widened. According to the principle of legality, the supposed liability does not exist 
in law. Therefore, legislation should be the basis for liability. 

On the other hand, a promise can be made in a contract to create obligations. When one 
party breaches the obligation, the aggrieved party may be remedied according to contract law. 
Liability in contract law can create an incentive to maintain a secure critical infrastructure. 
This kind of obligation can be agreed in the contracts between institutional users and service 
providers. 

However, my research found that individual users are generally excluded from the 
mechanisms in which the dominant parties are service providers. For example, many service 
terms drafted and enacted by online enterprises usually include a unilateral disclaimer of 
watranties and limitation of their liability. 

The disclaimer of warranties requires users to understand explicitly and agree to use the 
service at their sole risk. The enterprise expressly disclaims all warranties of any kind, 
whether express or implied. The enterprise further states that it makes no warranty that the 
service will be uninterrupted, timely, secure or error-free; and any errors in the software will 
be corrected, etc. If users download or obtain by other ways any materials, it is at the users’ 
discretion and risk. The limitation-of-liability clause claims that the enterprise shall not be 
liable to the users for any direct, indirect, incidental, special, consequential or exemplary 
damages; unauthorized access to or alteration of the user’s transmissions or data, etc”? The 
basic relationship in these clauses is that service providers make no promise, but make a 
non-promise. Non-promise results in no obligation of warranty. Non-obligation results in no 


liability. 


10.5 Intentional liability, negligent liability and reckless liability 


Current criminal-law countermeasures generally criminalize intentional conducts, 


whether in the domestic legislations of various countries or in the Convention on Cybercrime. 





°° See Yahoo!, Terms of Service. Retrieved 15 March 2007, from http://docs.yahoo.com/info/terms/ 
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The Convention requires countries to implement domestic laws to criminalize the following 
unauthorized conducts: 

Intentionally accessing information systems (illegal access, Article 2), 

Intentionally intercepting information systems (illegal interception, Article 3), 

Intentionally interfering with data and systems (data interference, Article 4, and systems 
interference, Article 5), 

Intentionally misusing devices for the purpose of committing any of the offences 
mentioned above (misuse of devices, Article 6), 

Intentionally aiding and abetting the commission of any of the above offences (Article 7). 

The Convention leaves countries to make further requirements or reservations, but the 
subjective aspects are not in the items of the Convention subject to such discretions. 

If users fail to secure their own information systems from outside exploitation and cause 
damage to another user, they should be held liable for the negligence and compensate the 
victimized party. The prerequisite for this negligent liability is that users do not take sufficient 


care to protect reasonably their information systems.” 


The factors in judging whether users 
are taking reasonable care include the amount of information held; the form in which 
information is retained; the sensitivity of information; the level of risk; the size of the 
company; and the cost of rendering information systems secure.” 

Concerning negligent and reckless liability, there are several situations: 

1. Laws specifically exclude negligent liability. For example, in U.S.C. 18 $1030 
prescribes that negligent design or manufacture of computer hardware, computer software, or 
firmware are immune from a civil action to obtain compensatory damages and injunctive 
relief or other equitable relief by any person who suffers damage or loss (The U.S.C. 18 
§ 1030 (g)). 


2. Laws criminalizing intentional conduct also involve punishment for some kind of 


negligent or reckless misconduct. For example, the Section 151b of the Penal Code of 





*! Bridge Point Communications, Information Security: Corporate and Individual Liability, October 
2001, pp 1-2. Retrieved 15 March 2007, from 
http://www. bridgepoint.com.au/LinkClick.aspx?link=PDF+Docs%2Fliabilitypaper.pdf&tabid=36&mi 
d=376 

*” ibid. 
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Norway criminalized the act of negligently destroying, damaging, or putting out of action any 
data collection or any installation for some critical sectors, and imposes fines or imprisonment 
for a term not exceeding one year. The Section 250 of the Norwegian Crimes Amendment Act 
2003 prescribes punishment for act of intentionally or recklessly damaging or interfering with 
computer systems (Section 250). That is to say, the severity of intentional liability and 
reckless liability are treated equally in the offence of damaging or interfering with computer 
systems. Section 251 also provides the reckless factors in the offence of making, selling, or 
distributing or possessing software for committing a crime, “knowing or being reckless as to 
whether it will be used for the commission of a crime.” (Section 251 (1) (b)) Section 252 (1) 
also prescribes recklessness as a factor in the offence of accessing computer systems without 
authorization, “every one is liable to imprisonment...who intentionally accesses, directly or 
indirectly, any computer system without authorization, ...being reckless as to whether or not 
he or she is authorized to access that computer system.” (Section 252 (1)) However, this is 
hardly to say that Sections 251 and 252 establish reckless liability. Similarly, the 18 U.S.C. 
$1030 also includes a clause to penalize recklessly-caused damage, but as a result of 
intentional access to a protected computer without authorization (The U.S.C. 18 §1030 (a) (5) 
(A) (a1). 

3. Legislation proposals, such as the model law of the Commonwealth, taken in reckless 
liability. The Commonwealth’s model law has extended criminal liability to the mens rea of 
offences of interfering with data, interfering with computer systems, and illegal devices so as 
to include reckless liability.°”? The establishment of negligent liability contributes to forming 
a close legal framework in combating cybercrime through strengthening the security 
consciousness of information-systems users, particularly management. To date, explicit 
negligent liability for cybercrime is still, however, absent from the international instruments 


and laws of most countries. 





3 Legal and Constitutional Affairs Division Commonwealth Secretariat, Report on Law and 


Technology Workshop for the Caribbean, Kingston, Jamaica, November 3-7, 2003, published in 
January, 2004. 


10.6 Direct liability and indirect liability 


Direct liability is the liability directly derived from the illegal act that involves 
information systems. As in the situation where traditional offences are prohibited, the basis 
for cybercrime liability is the same as for the non-cybercrimes. We are not discussing various 
theories about what the basis for criminal law is, nevertheless, cybercrime is no different from 
the older crimes in that old crimes infringe human rights and property rights, and violate the 
social order. Indirect liability is the liability that is derived from the omission of supervision 
and management over the activities of the perpetrator or over information systems. The 
establishment of obligation is the prerequisite for indirect liability. The effective incentive for 
the responsibility of supervision and management must be ensured by work ethics, rules or 
disciplines, and civil, administrative, or criminal liability. Kelly (2002) analysed the 
institutions’ liability for e-mail in further education and higher education institutions. He 
pointed out that e-mails may be regarded as published information originating from the 
institution and the liability for its publication may attach to the institution. If the institution is 


held liable, this liability is derived indirectly from the users’ act. 


10.7 Trespasser’s liability, third parties’ liability, and victim’s liability 


Trespassers include a wide range of individuals and corporations: system intruders, virus 
creators and distributors, illegal web site owners and administrators, authors of illegal 
contents, illegal service providers, illegal product traders, and so forth. Trespassers’ liability 
includes criminal liability, civil liability and administrative liability for their cybercriminal 
act. 

Third parties include Internet service providers, security publishers, Internet security 
providers, software vendors, software authors, and system owners. They may also be 
criminally liable, but in most cases, their liability should be to provide civil remedies for the 
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victims. According to the U. S. Department of Justice (2003),~~ the Convention on 





4 U. S. Department of Justice. Frequently Asked Questions and Answers-Council of Europe 
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Cybercrime does not require the service providers to monitor content to avoid liability. The 
provisions of the Convention governing aiding and abetting do not naturally apply to the 
service provider (Article 11, and Explanatory Report paragraph 119). This Convention 
exempts third parties from liability, but is limited to the Internet service provider as far as 
Internet content is concerned. 

Summing-up the discussion of Icove and co-workers (1995), Drummond and 
McClenden (2001), Fisk (2002), and others, about third parties’ liability, covering ISPs, 
security providers, software vendors, software authors, and system owners, the situation is 
that where no liability mechanisms are implemented, they will have insufficient incentive to 
provide higher standard of products or services. The following Canadian case proved that the 
absence of liability mechanisms leaves the relevant party unaware of unauthorized access 
concerns. 

“Several participants in online contests run by the company in question received 
telephone calls from a person or persons falsely claiming to represent the company. In an 
internal investigation, the company cannot determine exactly how unauthorized persons had 
obtained personal information collected from contest entrants, but believed it possible that 
the computer database in which information was stored may have been compromised. An 
inspection by an outside firm cannot confirm how or even whether the database had been 
compromised, but did give rise to several recommendations towards improving the 
company's informational security. The company has adopted all recommendations and has 
taken specific measures to physically secure contest participants’ personal information from 
unauthorized access. 

At the time of the complaint, the company had no policies for the retention and disposal 
of personal information. On the advice...the company has also agreed to implement such 
policies.”””° 

The reason for insufficient incentive is mainly that the improvement of quality of 
products or services is costly, requiring more investment of money, time, and human 


resources. Liability mechanisms will create incentives to provide products or services on at 





Convention on Cybercrime, November 2003. 
* Finding #52, 2002 CanLII 42357 (P.C.C.). 
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least a standard level. Products and services containing security defects are at great risks of 
falling fool of product liability. 

However, holding third parties liable is not without risks, because products and services 
are usually provided subject to contract or licensing agreements, making tort liability 
inappropriate because the parties have bargained to allocate the risk between them (Perle and 
co-workers 2000, pp. 10, 12). The reasonable starting-point for concluding agreements is that 
neither of the two parties wants to endure more risk. In general, product or service users may 
have greater discretion in choosing more guarantees and fewer expenses. Third parties will 
generally be worse-off. However, third parties will pass on to the users the extra costs in 
improving the quality and fixing the loopholes. They will raise the prices of their products or 
services to a higher quality level. 

Particularly, there are also some unique aspects of software that make it challenging to 
apply traditional concepts of liability to free software authors. Free software is also called 
open source software, which is software that must be distributed with a source code included 
or easily available, such as by free download from the Internet (Kavanagh 2004, p. 1). As a 
movement, free software dated from 1984, when Richard Stallman first published the idea 
that software should be free “as in speech,” so that users can review it and change it, as he or 
she requires to (Kavanagh 2004, p. 2). The term open source dated from 1997, when Eric 
Raymond, Tim O’Reilley, Bruce Perens and others decided to emphasize the technical and 
practical advantages of open source software to avoid making the idea less attractive to 
businesses (Kavanagh 2004, p. 2). Kavanagh (2004) claimed that open source is successful 
(pp. 19-40), good (pp. 41-52), inadequate (pp. 52-55), more difficult (pp. 56-62), but he 
mentioned nothing about security. However, the open source licenses usually include a 
disclaimer of warranty or limitation of liability.””° 

The disclaimer of warranty usually reads as the following: 

“...[T]he Original Work is provided under this License on an “AS IS” BASIS and 
WITHOUT WARRANTY, either express or implied, including, without limitation, the 


watranties of non-infringement, merchantability or fitness for a particular purpose. THE 





Kavanagh (2004) listed licenses of GNU General Public License, Mozilla Public License, and The 
BSD License. In fact, many other open source licenses are available from the Internet. 
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ENTIRE RISK AS TO THE QUALITY OF THE ORIGINAL WORK IS WITH YOU...”?”” 

The limitation of liability usually includes something of this kind: 

“Under no circumstances and under no legal theory, whether in tort (including 
negligence), contract, or otherwise, shall the Licensor be liable to anyone for any indirect, 
special, incidental, or consequential damages of any character arising as a result of this 
License or the use of the Original Work including, without limitation, damages for loss of 
goodwill, work stoppage, computer failure or malfunction, or any and all other commercial 
damages or losses. This limitation of liability shall not apply to the extent applicable law 
prohibits such limitation.””** 

Under such circumstances, if we impose liability on authors, it is impossible, because 
authors get no income to pay the compensation. It is inefficient, because authors will be 
discouraged from contributing. It is unfair, because users use the software for free and 
voluntarily. Finally, it is at the users’ “entire risk” to use such software, because prior 
agreement between authors and users distributes this risk to users. 

Security (defects) publishers are different from other third parties in that they may have 
two aspects of gain from the publication, one is that the publication can prevent some harm 
suffered by the general public, the other is that the publication realizes more economic or 
other benefits. However, there is a great risk of resulting in users’ losses where hackers 
exploit the publicized loopholes. In addition, users must be expected to invest in improving 
their security level when they know of the newly publicized loopholes. Whether the publisher 
should be held liable for his publication, is a question of a nice calculation. What has to be 
weighed, on the on side, is the gain of users from the stopping of the potential harm and the 
publisher, too, obtaining a higher confidence value, and on the other side, the losses users 
suffer from attacks launched to exploit publicised loopholes and the cost of preventing the 
attacks. In different cases, the cost-effectiveness relationship is different and is hard to make 
a choice. Finally, as Preston and Lofton (2002) put it, it is a question of whether a specific 
rule of liability concerning information security publications causes more harm than good, 


rather than whether an individual publication does (p. 130). 





°7 Open Software License (“OSL”) version 3.0. 
** ibid. 
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A victim of crime is not always innocent. However, traditional criminal law does not 
impose punishment on a victim. The notion of culpable victim merely means that the victim 
induces the offence against him or her. To impose punishment on victim or on the responsible 
personnel of the victimized institution becomes realistic in white-collar crime and corporate 
crime. In information systems, victim liability is no longer a taboo. The culpable victim may 
be punished either due to his or her preceding illegal behaviour or due to his or her failure to 
prevent the illegal behaviour. In some special cases, laws also impose such a liability on 
victims. As Sadowsky and co-workers (2003, p. 175) have pointed out, if a site is made 
inoperable by a denial of service attack, the company may be liable for claims based on 
breach of contract. Definitely, in this case the victim of the attack also breaches the contract 
and becomes a liable party. However, it is necessary to avoid over-criminalization and 
mis-criminalization. The EU Framework Decision on Attacks against an Information System 
(12 May 2003) recognized the “need to avoid criminalizing the right-holder and authorized 


persons.” (Preamble (13)). 


10.8 Domestic liability, trans-national liability, and international liability 


Some kinds of cybercrimes are usually aimed at domestic targets, though perpetrator and 
victim are not necessarily the same jurisdiction. The general principle of jurisdiction can be 
applied to deal with such cases. Criminal justice assistance is also necessary in investigation 
and prosecution. 

The trans-border nature of the Internet often enables trans-national cybercrimes: an 
offence being carried out from different countries; an offence targeting victims in different 
countries; or an offence targeting a floating victim who travels through states A, B, C, etc. All 
these cases are brought about by the trans-border information flow. In the last few years, 
people have compared information systems with a superhighway. Wherever information can 
reach, there information systems can facilitate cybercrime. Relationships between offenders, 


victims, and intermediaries that link them are all connected into this system, enjoying the 
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wealth of information and taking potential risks. It is natural that the trans-border liability will 
be prevalent. 

Cybercrime of an international nature, such as cyber terrorism and cyber warfare, is 
comparable to traditional international crimes. Universal jurisdiction should be applied in 


such cases. However, this is still a theoretical supposition. 


10.9 Offensive liability and defensive liability 


Offensive liability is the liability for the offensive act. The person who is liable for his or 
her offensive act is the perpetrator of cybercrime. Defensive liability is the liability for 
omission of the defensive act. Cybercrime does not always result in defensive liability. 
However, if there is a legal obligation upon the parties whose systems are targeted or 
exploited, victimized or exploited parties may also be liable for the omission of an obligation. 
In content-related cybercrimes and denial-of-services attacks, the content-service providers 
and compromised computers are in a defensive status and potential liability falls into the 
context of defensive liability. Traditionally, subjects in a defensive status are only liable when 
there is a legal basis for the logic of “failing to prevent a crime is to cause it,” and where, 
usually, big organizations become significant targets of public complaint about crime 
(Sherman 1995, pp. 102-113). In the network environment, two contrary tendencies exist in 
the meantime. One is the pressure of imposing suitable obligations for the prevention of 
cybercrime in big online enterprises, the other is that these enterprises have sufficient power 
to resist this kind of pressure. Therefore, if defensive liability comes into being some day, it 


would hardly be in a short period of time. 


10.10 Punitive liability, exemplary liability and compensatory liability 


Punitive liability is the liability primarily for punishing the offender and deterring further 


offences. The punishments provided in criminal law, such as imprisonment and fine, are 
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designed to serve this function. All of the offences, including cybercrime, are treated similarly 
in criminal law. Although the purpose of modern criminal law is deterrence, the innate nature 
of the penalty is to punish the criminal. This nature has never been changed by the 
development of a set of modernized terminology in criminal law. The terminology functions 
mostly in adjusting the principles to changing social needs. Consequently, the punitive nature 
of criminal law has shown a reduction in the severity of its linguistic expressions, and less 
concrete structures. However, when we discuss criminal law, we are straightforwardly 
relating the person to the artificial unhappiness of the punishment, which is the consequence 
of the inherent liability of committing a crime. 

Exemplary liability is liability for alerting the perpetrator, containing both punishment 
and compensation. Exemplary compensation is a kind of liability that imposes monetary 
damages greater than the actual losses. Due to the low probability of detection of cybercrimes, 
punishment should be severe enough to deter them. The exemplary liability may be a useful 
way of increasing the severity of punishment. The reason why exemplary liability is supposed 
to be effective is that socialized individuals are morally responsible and psychologically 
correctable. Exemplary liability symbolizes cybercrime as a moral wrong and an unfair 
psychological gain. What is a moral wrong should be publicly reprimanded, while deprivation 
should be the fate of what is unfairly gained. Beyond reprimand and deprivation, exemplary 
liability is designed to prevent future wrongdoings. 

Compensatory liability is liability primarily for compensating losses of the victim from 
cybercrime. Compensation is generally meant to match the losses of the victim. Such 
compensation falls into the field of civil liability. Because cybercrime usually causes great 
losses for the victims, the compensation helps the victim to recover the whole or part of the 
losses. The revelation of a personal message or trade secret may be a fateful incident for the 
reputation of an individual or business of an enterprise. While compensation for a sum of 
millions of dollars cannot be afforded by most hackers, smaller sums of compensation are 
quite realistic. The necessity and possibility of compensatory liability for some victims of 


cybercrime is justified as a complementary remedy. 
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10.11 Conclusion 


In the case of cybercrimes, the losses from the criminal action are mainly pecuniary, 
while the damages are non-substantial. In addition, there is usually an involvement of 
multiple parties in the cybercrimes and thus the identification of subjects becomes difficult. 
This necessitates the establishment of a multi-layer liability system of multiple subjects. 
Moreover, the damage from cybercrimes is great, while the detection probability and rate of 
conviction are both low. This demands the imposition of heavier sanctions than in the case of 
crimes with a higher detection probability. 

Liability can only be effective when it discourages criminals, creating an incentive for 
security. If there is no incentive, even if there is liability, there should be no liability, because 
this kind of liability is not cost-effective and inefficient. On the other hand, the establishment 
of liability should be based on creating incentives for the subjects, to prevent those who 
distribute software which is vulnerable to hacking, those who access the Internet with the 
possibility of being exploited by attackers, and those who provide security services that are 
insecure, and so on. 

However, the law should not be there to hold all those responsible liable when the 
breach of responsibility is expressed in the form of a crime, but to impose liability, as 
necessary, on those whose activities reasonably cause the effect according to strict legal 
principles. The above discussion is to demonstrate the possibility of liability forms rather 
than to create liability for any user of information systems. 

Liability is not in the air, but on the ground. Liability should be fixed by legislation, as 
has been stated in this chapter. However, liability also should be established in jurisdiction, 


as we will see in the next chapter. 
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CHAPTER 11. WEAVING CYBERCRIMINAL JURISDICTION INTO THE LEGAL 
NETWORK 


11.1 Introduction 


Unless jurisdiction can be exercised over cybercrime, no liability can be imposed on the 
perpetrator. Jurisdiction is not a problem emerging only in issues associated with information 
systems (Westby 2003, p. 41). However, it is becoming significant in the digitalized 
environment. Crime is undergoing a process of globalization (Findlay 1999, Lehtonen 2000b); 
cybercrime particularly is in principle borderless. Smith, Grabosky and Urbas (2004, pp. 
48-49) have summarized four challenges that the trans-national dimension of cybercrime 
poses for prosecutors: to establish the criminal jurisdiction of an act in question, to collect 
adequate evidence to activate the law, to identify the criminal and to decide his or her physical 
location, and to decide either local jurisdiction or extradition. 

Actually, many elements have significant functions in deciding which court has power to 
exercise jurisdiction over a criminal case. The Internet poses the great challenge to the 
traditional practice of exercising jurisdiction. The trans-border nature of information systems 
makes the boundary of criminal jurisdiction more ambiguous. Technically, the perpetrator can 
give a command to a computer in State A to modify data physically stored in a medium 
located in State B, without the knowledge of the actual location of the data. The modified data 
may produce a harmful effect in State B after crossing communications networks located in 
several other countries. Based on the traditional theory of criminal jurisdiction, many 
countries can claim jurisdiction over the case based on the acts of modifying the data, the 
transmitting of modified data, and the emergence of harmful effects. It is difficult to 
determine the geographical location and thus the jurisdiction. 

In addition, the uncertainty in cyberspace complicates the traditional criminal 
jurisdiction. In the latter, the nationality of the perpetrator, the location of the act and the 
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effect can be the basis for the criminal jurisdiction because of their link to a substantial 
location of a certain jurisdiction. In cyberspace, however, the link between these factors and 
substantial location becomes uncertain. We cannot find the residence and tangible property; 
determine the nationality of the actor, and the exact location of a remote logging on, but only 
the existence of the actor and the detailed contents of the criminal act. In sum, the traditional 


criminal jurisdiction should now be globalized (Berman, 2002). 


11.2 The legal basis for cybercriminal jurisdiction 


Criminal jurisdiction means the power of a state to prosecute and punish the criminal. In 
terms of international law, it is the foundation for dividing the power between countries over a 
criminal justice that involves international factors (Zhao 1994, p. 116). The established 
principles of criminal jurisdiction over international crime include the principle of territorial 
jurisdiction, the principle of personal jurisdiction, the principle of protective jurisdiction, and 
the principle of universal jurisdiction. The former three principles are also effective in 
domestic criminal law, and the last principle is unique in international criminal law. 

“Sovereignty accorded each state supreme, comprehensive and exclusive rule over its 
territorial jurisdiction.” (Linklater 2000, p. 1504) Under this principle, the criminal is subject 
to punishment by the state where the crime was committed, without considering the 
nationality of the criminal (Van Dervort 1998, p. 254). Law shall apply to a crime committed 
in the state where the law is enacted.” Vessel and aircraft are generally deemed to be the 
extension of the territory of a sovereign state, whose flag they fly regardless of where the 
vessel or aircraft are located, even if the vessel was on the high seas or in foreign territory, or 
even if in the territory not belonging to any state or the aircraft was in or over such territory.*°° 
According to this principle, determination of the location of cybercrime is the basis on which 


to decide whether a state has jurisdiction. The act and effect of cybercrime usually involve 





oe See, for example, Penal Code of Finland (39/1889), Chapter 1, Section 1. The English translation 
was made by Ministry of Justice, Finland, as an unofficial translation. 
ae See, for example, ibid, Chapter 1, Section 2. 


several locations in different states. If every state claims criminal jurisdiction over the same 
offence, jurisdictional conflict is inevitable. 

At the same time, the determination of the location of cybercrime is more difficult in 
other aspects. The focus of the disputes resolves around the places which can be identified as 
the locations of an offence. Traditional theory adopted the places where the act of the offence 
was committed and where the harmful effect of the offence happened.*”’ In cybercrime, the 
act can be carried out in a place thousands of kilometres from the place of its actual effect. 
However, the location where the computer was in operation is publicly regarded as the 
location of the act. What is still disputable is whether the places where the transmitted data 
pass (that is, the networks) and arrive (that is, terminals) and where the web pages are 
deposited (generally, servers) can be regarded as the location of an offence. 

The negative answer to this question was partly given in Directive 95/46/EC, Article 
4.1(c) provides that if “equipment is used only for purpose of transfer through the territory of 
the Community,” national provisions will not be applied. In fact, this provision has almost 
unanimously been provided in the laws of member states.°” 

The principle of nationality is designed to protect the legal rights of domestic or local 
citizens, and prevent an unjust trial of domestic or local citizens by other states or regions: the 
criminal is subject to punishment by the state, to which the criminal’s nationality belongs 
(Van Dervort 1998, p. 261). The principle of active nationality applies to cases in which the 
offenders are citizens of the state, while the principle of passive nationality applies to cases in 
which the victims are citizens of the state.*” However, because offences covered by this 


principle usually happen outside the state or region, conflicts often appear with the states or 





*°' See for example, ibid, Chapter 1, Section 10, providing that “An offence is deemed to have been 
committed both where the criminal act was committed and where the consequence contained in the 
statutory definition of the offence became apparent. An offence of omission is deemed to have been 
committed both where the offender should have acted and where the consequence contained in the 
statutory definition of the offence became apparent.” In the cases of attempt and complicity, the 
location where the offence might have been completed or the consequence might have appeared, or the 
consequence that the offender thought would appear, or the act of complicity might have been 
committed, shall apply the Finnish law. 

3° See Danish Act on Processing of Personal Data (Act No. 429 of 31 March 2000), Part 3; Finnish 
Personal data Act (523/1999), Section 4; Icelandic Act on Protection of Individuals with regard to 
Processing of Personal Data, No. 77/2000, Section 6; Norwegian Act of 14 April 2000 No. 31 Relating 
to the Processing of Personal Data (Personal Data Act), Section 4; and Swedish Personal Data Act 
(1998:204), Section 4. 

33 See for example, Penal Code of Finland (39/1889), Chapter 1, Sections 6 and 5. 
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regions which claim jurisdiction according to the principle of territory, and result in double 
jeopardy. Finally, this principle is only applied in grave offence, for example, spreading child 
pornography and other illegal information. The principle of nationality is designed to 
supplement the insufficiency of the principle of territorial jurisdiction but not to impose any 
limit on it. On the contrary, the mere application of the _ principle of nationality is usually not 
enough for a state to exercise jurisdiction over events in its territory. Sometimes laws provide 
explicit clarification of this situation. For example, Section 9 (1) of the U. K. Computer 
Misuse Act 1990 prescribes that to establish jurisdiction over the offence does not depend on 
the citizenship of the accused. 

The principle of protection is primarily applied to foreigners or stateless persons who 
commit an offence endangering the state’s interests abroad; the victimized state has the power 
to prosecute or try the case.“ According to this principle, the state has power to take the 
necessary measures against the offence which breaches the state’s interests. Any online 
activities have a global nature, which causes many obstacles to applying the principle of 
protection. On the one hand, the after-effect of cybercrime usually involves many states. If 
every state claims criminal jurisdiction, it will definitely cause a jurisdictional chaos. On the 
other hand, if the cybercrime prescribed in one state is not criminalized in other states, it is 
unreasonable for this state to exercise jurisdiction. No state is likely to exercise jurisdiction 
over cybercrime merely according to the principle of protection. 

The purpose of the principle of universal jurisdiction is the establishment of 
consensus on criminal jurisdiction between states to prevent crime effectively and to combat 
crime under the framework of an international law based on international treaties containing 
penal provisions, and provided by each country’s domestic law.*°° Macedo (2004, p. 9) 


defined the universal jurisdiction as 





%0* Zhang (1999), p. 79. For example, the Penal Code of Finland provides that “Finnish law shall apply 


to an offence committed outside of Finland that has been directed at Finland. An offence is deemed to 
have been directed at Finland if it is an offence of treason or high treason, if the act has otherwise 
seriously violated or endangered the national, military or economic rights or interests of Finland, or if it 
has been directed at a Finnish authority.” Chapter 1, Section 3. 

* For example, the Penal Code of Finland provides that “ Finnish law shall apply to an offence 
committed outside of Finland where the punishability of the act, regardless of the law of the place of 
commission, is based on an international agreement binding on Finland or on another statute or 
regulation internationally binding on Finland (international offence). Further provisions on the 
application of this section shall be issued by Decree.” Chapter 1, Section 7. 
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“[T]he principle that certain crimes are so heinous, and so universally recognized and 
abhorred, that a state is entitled or even obliged to undertake legal proceedings without 
regard to where the crime was committed or the nationality of the perpetrators or the victims. 
It applies to the most serious crimes under international law: slavery, war crimes, crimes 
against humanity, torture, and some others.” 

Because the criminal act and effect relating to the principle of universal jurisdiction 
usually take place outside the territory of a state, it is by this very nature a matter of a 
trans-territorial jurisdiction. The global nature of online activities facilitates a cybercrime 
endangering global targets. However, as to whether the principle of universal jurisdiction can 
be applied to cybercrimes that has a severe impact on global targets, there has not been 
relative agreement. The application of universal criminal jurisdiction is primarily based on 
the nature and gravity of cybercrime. For instance, if there is cyber war crime, piracy, 
terrorism and so forth, the principle of universal jurisdiction should be applied. As with 
traditional international offences, the application of universal jurisdiction over cybercrime 
must be based on explicit provisions in international agreements. Each state cannot apply 
universal jurisdiction merely according to the domestic law (Bossard 1997, p. 111). 

In traditional law, the ownership over land extends to the sky over the land. A state’s 
jurisdiction has the similar pattern, covering surface, underground and airspace, but not outer 
space.*”° At present, we cannot help asking: does he who owns the soil, own the network? 
However, we have seen that individuals and institutions can only own the physical materials 
of the networks, but are not able to control the activities on the networks. Jurisdiction over 
uncontrollable “space” has no realistic basis. Physical and spiritual fences in a traditional 
sense cannot be valid in the networked environment. Furthermore, we must compare offences 
in cyberspace with those in watercrafts and aircrafts, which are called floating territory. A 
state has the power to exercise jurisdiction over offences occurring in watercrafts and 
aircrafts that are registered in the state. Cyberspace is not the same as floating territory in that 


what extends in cyberspace is not the state’s material entity, but is composed of abstract 





%° Outer space refers to the space located outside the Earth’s atmosphere. See Summers (2003), p. 
1168. However, because of its political sensitivity a solution to the definition/delimitation problem 
cannot be reached on an international level and the issue is still under dispute. See Van Traa Engelman 
(1993), p. 47. 
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information flows, the owners of which are difficult to determine or are distributed in many 
different territories. The conception of floating territory cannot form the basis for jurisdiction. 
Comparable cases also include, for example, the language in which information is compiled. 
If it is the rule that the language, in which an offensive message is written, is the official 
language of a state, which thus has the power to exercise jurisdiction, the situation will 
become even worse. Therefore, both the information flow and language cannot be the basis 
for jurisdiction. Many other nexuses have a similar nature. It is advisable for a set of new 


game rules to be implemented in cyberspace. 


11.3 “Separate” or “international” jurisdiction? 
J 


In the mid-1990s when the Internet was opened to access for commercial use and grew 
unprecedentedly, commentators advocated that cyberspace should be treated as a separate 
jurisdiction (For example, Johnson and Post 1996, p. 1367; Oberding and Norderhaug 1996). 
The theory argues that online communities have maintained community norms and have the 
ability to create and enforce rights and responsibilities (Oberding and Norderhaug 1996). 

In recognizing that cyberspace has its own organizational form, value standard, and 
rules, separate from those of the government, and that it maintains its own organs of power, 
the theory advocates that jurisdiction outside cyberspace should be denied. The theory 
emphasizes the novelty and independence of cyberspace, holding a sceptical attitude towards 
the power of real-life states, and worrying that the intervention of state power will hurt the 
freedom of cyberspace. 

Nevertheless, the claim completely confuses two kinds of different powers, specifically, 
the power of ISPs to establish business ethics and technical standards, and the state power to 
enact law and exercise jurisdiction. Although business ethics and technical standard to a 
certain extent may influence law, they can never replace law. Similarly, self-regulation can 
never be a substitute for the public power of law. Cyberspace should not be beyond the 
jurisdiction of the courts, and law should be used to protect the liberal development of 
cyberspace. The fundamental question is how to syncretize the two aspects, and protect the 
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development of cyberspace. 

In order to solve the issue of cyberspace jurisdiction, some scholars, represented 
primarily by Darrel Menthe (1998), put forward the theory of a fourth international space, 
which is based on the assumption that cyberspace was a new space, but comparable to the 


, 307 «308 
mare liberum,**’ outer space and the Antarctica.* 


Based on comparison and analogy, 
Menthe (1998, pp. 101-103) drew the conclusion that cyberspace ought also to accept the 
implicit international customs, that is, the customs similar to those dominating the other three 
international spaces, and thus the problem of judicial jurisdiction would be solved by 
enacting a corresponding regime-specific treaty. He asserted that four international regions 
such as Antarctic, outer space, the high seas, and cyberspace, share the similar characteristics 
of the lack of territorial jurisdiction, and thus nationality is and should be the primary 
principle for establishing jurisdiction (Menthe 1998, p. 70). 

This theory may have its advantage in solving the cases involving a single criminal and 
a single victim, or a single criminal and multiple victims. However, there are two points 
requiring special consideration in dealing with cyberspace. Cyberspace has similarities to the 
three traditional international spaces in that there has not been a unique state endowed with 
complete jurisdiction over these spaces. Nevertheless, cyberspace also has its differences 
from the traditional international spaces. The status of the traditional international spaces has 
been established by international agreements, while cyberspace is an emerging space without 
a consensus on its status. In cyberspace, there are relevant territorialities located in several 
relevant countries, such as where the nationality of a person or several persons belongs, 
where the web site is registered, where the server is set up or rented, where the victims are 
distributed, and so on. Traditional international spaces are spaces themselves, involving no 


other territoriality. In addition, traditional international spaces are beyond sovereignty, while 





°°’ The Latin phrase represents “free sea”, a sea open to navigation by ships of all nations. Dutch jurist 


Hugo Grotius published a treatise “Mare Liberum” in 1609 challenging the right of any nation to claim 
part of the open sea exclusively as its own. The title translates as “The Free Sea”. See McKenna 
(2003b), p. 225. 

*°8 Territorial claims in Antarctica have been made by the United Kingdom in 1908, New Zealand in 
1923, France in 1924, Australia in 1933, Norway in 1939, Chile in 1940, Argentina in 1943 (U. S. 
Congress, Office of Technology Assessment, September 1989, p. 41). The U. S. and Russia have made 
no territorial claims and do not recognize the claims of others, though they reserved their rights to 
assert claims in the continent (ibid., p. 43). 
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cyberspace is rooted in sovereignty. The only problem is that jurisdictions may be extremely 
competing between countries. However, merely to avoid competing jurisdictions should not 
be the ground for establishing nationality as the unique basis for an international rule on 
jurisdiction over cyberspace. At the same time, even if nationality has been established as an 
internationally accepted basis for jurisdiction over cyberspace, the “indefinitely competing 
jurisdictions” cannot yet be avoided, provided that cybercrime is an organized distributed 
denial of service attack. In cases involving multiple criminals and multiple victims, the 
theory of a fourth international space is completely unadoptable. It is hardly strange that 
these suggestions did not receive any positive reflection from any legislature (Zeviar-Geese 


2001; Wober, Frew and Hitz 2002, p. 203). 


11.4 The specific space—the determination of the location of conduct 


Compared with traditional criminal cases, cybercrime cases have both a common 
characters and differences that exert an influence on the application of jurisdiction. A number 
of studies have been targeted on cyberjurisdiction, either civil, criminal, or comprehensive, 
for example, Biegel (1996), Johnson and Post (1996), Menthe (1998), Post (1996), Jew 
(1999), Zeviar-Geese (2001), Smolen and Downing (2002), August (2002), Brenner and 
Koops (2004), etc. The current situation is more complicated than when the problem first 
emerged before the academic vision, with more possible alternatives for answering the 
question. 

According to the traditional theory of criminal law, if either criminal act or harmful 
effect happens on national territory, the crime can be regarded as happening in that country. 
The jurisdiction of the conventional courts is geographically based, with the rule 
incorporating a notion of territoriality (Jew 1999). When this theory was established, the 
early criminal law was rarely confronted with the situation of a geographical separation of act 
and effect. As we have discussed in Chapter 3, Internet communications are geographically 
independent. Information is not limited to one place, but is distributed concurrently globally 
(Police Commissioners’ Conference Electronic Crime Working Party 2000, pp. 25-28; Rees 
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2000, pp. 16-19). The geographical separation of act and effect on cybercrime is becoming 
more common. 

There does exist a form coinciding with the traditional criminal act. However, due to the 
spaceless nature of the network environment, attacking targets located in countries other than 
the one where the perpetrators hold the nationality, where they reside, or where they launch 
the attack, may easily be realized (Smolen and Downing 2002, p. 2). Add furthermore, the 
formation of criminal conspiracy, the transmission of criminal command, the transfer of 
criminal data, and the spread of malicious programmes can all pass any regions or countries 
that are connected via the Internet. As Lessig (1996, p. 1404) pointed out: online events are 
taking place “everywhere if anywhere, and hence no place in particular.” 

Traditional jurisdiction by territoriality has been determined by the place where the 
offence is committed. The commission place of crime is the basis for determining whether a 
country holds criminal jurisdiction. We have already recognized the universality of 
cybercrime: where there is a computer connected to the networks, there is a possibility of 
being abused. The problem is that millions of computers and more than a billion of Internet 
users form a dynamic space. The borders between abuse and use, defence and offence, 
criminal and victim, are not clearly divided before they are defined within a jurisdiction. 
Computers and networks are value-neutral while users have a different value orientation and 
are subject to different legal constraints. When there is no applicable law, there will be no 
difference between crime and innocence. Cyberspace is a territory with law and order over 
which no one single government can exercise control, and for which no two governments can 
cooperate. In the traditional mode, an offence has been easily linked to a place. However, in 
the Internet environment, as Lessig said, we can regard a crime scene as: “everywhere if 
anywhere,” where the jurisdiction conflicts are inevitable on the one hand; yet are 
“nowhere,” since the jurisdiction gap exists on the other hand. Therefore, the determination 
of the location of an act becomes more complex and more costly than ever before. 

The fact is that jurisdiction based on the location of the act is the most convenient way 
for evidence collection. According to traditional criminal law, the location of the act includes 
the location where the act started and where the effect occurs. Any traditional location is 
connected with an address, which is the physical existence of a particular space. An address 
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on the Internet, however, is not the same as that in the traditional sense. For example, an 
e-mail address is possibly “an archive server, a list of people, even someone’s pocket pager,” 
rather than a human being (Kehoe 1993, p. 9). Therefore, there is no address at all in 


cyberspace. 


11.6 The specific player—the determination of the location of the person 


Internet communications enable people to do far more things than clicking the mouse 
without our physical presence in the place where the effect will happen. The determination of 
an online user’s location is difficult, if not impossible. Cybercriminals tend to conceal their 
conduct, identity, and location. The complexities of the relationship between offenders and 
victims form a more remarkable scenario of international cooperation (Smolen and Downing 
2002, pp. 13-14). 

Not in all cybercrime cases can jurisdiction be determined by the location of the person, 
particularly when the investigator has no way of tracing back to the starting-point of the 
offence when the offender is located in a foreign country that does not have a law 
criminalizing cybercrime, or has such a law but without an extradition agreement between the 
two countries. Under such circumstances, the offender has the highest possibility of escaping 
criminal and other liabilities. 

Nationality is not a highly physical way of determining the location of a person. 
Nationality, nevertheless, has a direct link with a country. Traditional jurisdiction by 
nationality relies on the nationality of the criminal or the victim, that is to say, active 
nationality and passive nationality separately. In the Internet environment, both criminals and 
victims involved in a single offence can be multiple and wide distributed. In some 
successfully prosecuted cybercrime cases, nationality has, indeed, been used as the basis for 
jurisdiction. 


One of the examples of active nationality is New York v. World Interactive Gaming 
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where a New York court denied the claim that the gambling on the Antigua-based 
web site took place in Antigua, where it was lawful, and the court prohibited the New York 
owner from doing business with New York residents.*"° 

The typical example of passive nationality is that the State of Minnesota in the U. S. 
seeks to enforce its own domestic legislation against out-of-state Internet users (Jew 1999). 
The Minnesota Attorney General filed a series of lawsuits against out-of-state users in 
relation with online conducts that were supposedly damaging to Minnesota residents (Fulford 
1993, Cl). 

Jurisdiction based on passive nationality facilitates the jurisdiction based on the location 
where the victimized target is situated. The prerequisites for this jurisdiction are first the 
coordination of the authorities in the location of the act or nationality, and second the 
mechanism of extradition. In United States v. Thomas (1996), Robert Thomas and his wife 
Carleen Thomas in California operated the Amateur Action Computer Bulletin-board System 
(“AABBS”), transferring pornographic pictures to paid users, with advertisements soliciting 
users to purchase videos. “Its features included e-mail, chat lines, public messages, and files 
that members could access, transfer, and download to their own computers and printers.”*"! 
Beyond receipt of a complaint about the AABBS from a resident of the Western District of 
Tennessee, Agent David Dirmeyer, the U. S. Postal Inspector applied to become a user by 
nickname, and downloaded several “gif” files as evidence. With this evidence, Dirmeyer 
indicted the accused for breaching the laws of this state and the U. S. Federal Obscenity Law 
in the Tennessee Federal Court. The court held that although the accused stored their 
materials in the computer at home, freely downloaded by the users, and did not breach the 
law of California, these materials were found in Tennessee and the couple were convicted 
according to the laws of Tennessee.”!” 


In a broader sense, some newly-developed theories can be regarded as the expansion of 


the nationality principle, such as the theory of server jurisdiction, the theory of the uploader 





309 People of New York v. World Interactive Gaming Corp., 185 Misc. 2d 852, 714 N.Y.S.2d 844 
(N.Y. County Sup. Ct. 1999). 
*!° Supreme Court of the State of New York, County of New York: Commercial Part 53, Index No. 
404428/98. 
S United States v. Thomas (1996 FED App. 0032P (Sixth Circuit)) 

ibid. 
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and downloader jurisdiction, both mentioned in Menthe (1998). The theory of server 
jurisdiction has its advantages in identifying the location of the server, that is, the registration 
place. The disadvantage is that the offensive servers may possibly be registered in a country 
where the law legalizes such activities, while the services it provides may be accessed from 
all over the world. Then the jurisdiction stops at the state boundaries. In the case of a server 
as a criminal target, the principle is essentially a jurisdictional variance by passive nationality. 
The theory of the uploader and downloader jurisdiction is slightly different from a 
jurisdiction by nationality in that if the offender from state A travels to state B and launches 
attacks against the targets in, say, states C, D, E... Then, state A is where she or he holds a 
separate nationality, state B is where she or he commits the offence, and states C, D, E... are 
where the effects of her or his offence take place. Thus, the theory is in fact a variety of 


jurisdiction by passive nationality as well. 


11.6 Liability-based cybercriminal jurisdiction 


The establishment of a nexus for jurisdiction should be based on the existence of 
liability. Jurisdiction over cybercrime should be built on the most direct link with the liable 
subject. The location of the act has most direct link with the perpetrator. Therefore, in most 
situations, jurisdiction is established by the place where the offence is committed, without 
any exception for cybercrime. Although the process of the criminal act may involve different 
locations at the same time or at different stages, there is still a place where the perpetrator 
sends the most direct command, which may be an input from a keyboard, clicked with a 
mouse, both from a fixed terminal or from a mobile terminal. The location of the terminal is 
where the criminal most probably appears in person. 

The prerequisite for jurisdiction is the existence of liability. It is liability rather than the 
person or crime that is the basis for jurisdiction. Where there is no liability, there is no 
jurisdiction. When our discussion resolves around jurisdiction, we are in fact caring about the 
power to hold the criminal liable. The above-mentioned function of the most direct link 
indicates that to establish jurisdiction, liability should be identified in the exact location. In 
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traditional criminal-law theory, the principle has already been established that criminal 
liability starts from the beginning of the act, lasts during the process of the offence, and ends 
with the occurring of the effect. If the location where the offence begins, proceeds, and ends 
are different, then the authorities of all the three locations may have jurisdictional power. In 
addition, emphasis on the traditional theory is placed on the location where the act begins and 
ends. 

In cases of cybercrimes, the separation of the three categories of locations is obviously 
common. However, the most suitable jurisdiction should be established in the locations 
where the act is committed or the effect happens. The locations where the cybercrime may 
“pass by,” but does not have an influence on the local interests should not establish 
jurisdiction, because there is no existence of liability in such locations. The claim that a 
server or a web site should be the unique nexus for jurisdiction in cyberspace is not 
acceptable. If there is no liability for breaching local interests, jurisdiction can only be 
established according to the principle of universal jurisdiction. Locations of servers or web 
sites are not necessarily the place where the criminal act begins with a command or ends with 
an effect. They may be a nexus in some cases, but not the only nexus in all cybercrimes. For 
example, an individual in State A publishes a message on a web page deposited in a server in 
State B in order to defame another individual in State C. The calumniator uses the native 
language that few understand in State B, and few retrieve the massage there. That language 
may be understood in State C where the victim resides. Apparently, State A and State B 
should hold the perpetrator liable, but not State B, which is only a place where the message is 
deposited. However, if the residents in State B can also understand the language of State A, 
the situation will change, because the effect of defamation also happens in State B. Then 
State B can establish jurisdiction, even though neither the criminal nor the victim resides 
there. 

The prerequisite for liability is the existence of both act and actor. Criminal liability 
means that the actor is liable for his or her act. The most convenient situation for exercising 
jurisdiction is that the actor acts in the same place where he or she resides permanently. We 
suppose once it was unnecessary to distinguish territoriality from nationality. In the 
information age, what is common is that both the actor and the act are dynamic, and that even 
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the tools of crime are also the wireless and mobile phone. Yet, the actor and his or her act are 
necessarily connected with a certain space. For example, an individual uses a mobile terminal 
in State A to send a command to a fixed terminal located in State B, the terminal in State B 
then transmits the command through several nodes separately in different states before it 
arrives a terminal in State Z, and the terminal in State Z makes the last command and 
activates hundreds of thousands of terminals located all over in the world to launch a 
distributed denial of services attack towards a target in Finland. There is no sense in the node 
states and states where the terminals are located to claiming jurisdiction. However, State A 
and Finland may have the better reason to hold the individual liable. 

Jurisdiction is no more than jurisdiction over the person and over the event. It is a 
combination of jurisdiction over a liable person and over a liable event. Nevertheless, it is 
also possible to establish jurisdiction over data packets. When cybercrime involves fraud, 
embezzlement, illegal sales of drugs, weapons, pornography, and the trafficking of persons, 
there must somewhere be a location where the substances and victimized human beings are. 
In addition, supposing that cyber wars or cyber terrorist attacks occur, and the perpetrator has 
breached international criminal law, then universal jurisdiction may play its role. Any states 
that have joined the agreement should hold the perpetrator liable. In fact, many new theories 
on jurisdiction deal with the locations in which these packets are created, sent, transmitted, 
processed, deposited, or reached. Due to the digital and fluid nature of packets, it is possible, 
but it is unreasonable to establish jurisdiction over the packets as the only nexus which 
proves the perpetrator liable. 

To meet the requirement for protecting the victims, a jurisdiction is also established 
which is focused on the victims. However, it is still jurisdiction over the liable person and 
liable act. It is meaningless to locate the victim merely. Jurisdiction according to passive 
nationality is based on the jurisdiction over the criminal. However, it has more meaning in 
cases of cybercrimes when extraditing multiple criminals to the domestic state of the victim. 
If cybercrime is an organized attack in which criminals are distributed throughout many 
states, and in which victims are also located in many countries, jurisdiction according to 
passive nationality is invalid, and so are jurisdictions according to active nationality and 
territoriality. No old and new theory is suitable for dealing with cases of this kind. States 
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must negotiate to coordinate their actions. Only if universal jurisdiction is available in these 
cases can the states reach a consensus to hold these hackers liable, by prosecuting them in 
one state. 

Wherever the starting-point is, the establishment of jurisdiction should be based on the 
liable person and the liable act. Without these two aspects, there is no liability, and thus no 
necessity for jurisdiction. If the servers, web sites, and even owners of cables are not directly 
involved in the offence, they should be immune from criminal liability. For example, if they 
are abused, exploited, or manoeuvred, they are innocent. Only when they are directly 
involved in the case should they be liable for the offence, for example, only if the web site 
itself is designed to spread malicious programmes should the owner be liable. 

However, the ultimate bearer of liability is the criminal but not the crime. The purpose of 
jurisdiction is to hold the criminal liable. If the link between liability and the bearer of the 
liability cannot be established, jurisdiction is valueless. Those who have claimed a separate 
kind of jurisdiction have ignored the exact nature of the jurisdiction of criminal justice, that is, 
the power of a state over a criminal for his or her crime. Once the power of the state is denied, 
there will be no jurisdiction. The imagination of changing cyberspace into an independent 
sovereign space has nothing to do with criminal justice. 

In sum, what criminal jurisdiction responds to the question of criminal liability borne by 
the criminal and based on a criminal act. It will be clearer if we take an example from the 
Finnish Penal Code. Chapter 17 Section 16 (563/1998) of the Code provides that organized 
gambling is the act of unlawfully arranging gambling or keeping a room or other premises for 
gambling, or where the proprietor of a hotel or restaurant establishment allows gambling to 
take place.*'? The establishment of jurisdiction has to satisfy two prerequisites: a space for 
gambling, and “games and activities” that can be categorized as gambling. In order to extend 
the validity of this clause to online gambling and establish jurisdiction, a web site has to be 


regarded as a similar place to a room or other premises, while clicking with a computer mouse 





313 Here, “Gambling means pools, bingo, tote and betting games, money and goods lotteries, casino 
operations and other similar games and activities where winning is completely or partially dependent 
on chance or events beyond the control of the participants in the game or activity and where the 
possible loss is clearly disproportionate to at least one of the participants’ ability to pay up.” Penal 
Code of Finland, Chapter 17, Section 16 (563/1998). 
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in the face of a screen on which “gambling” is taking place should be regarded as the 
equivalent of “gambling.” Finally, organizing gambling in such a place has to be prescribed 
explicitly in the laws or regulations so as to provide the basis for liability and thus the basis 


for jurisdiction. 


11.7 Critical factors in cybercriminal jurisdiction 


After examining most of the plans for jurisdiction over cybercrimes, it is clear that no 
single plan can solve all the problems. Any plan has both advantages and disadvantages. 
Furthermore, some new plans have no practical meaning for the field of criminal justice, but 
only for civil and administrative cases. Although cybercrime is different from traditional 
crimes, it is impossible to abandon completely the traditional criminal-justice system. This 
chapter attempts to collect some factors for a seemingly comprehensive solution to the 
question of jurisdiction over cybercrime. This solution is based on the idea that jurisdiction 
over cybercrime can be flexibly based on traditional jurisdiction, and supplemented by 
jurisdiction over the location of the computer from which the most direct demand was made. 
The aim of the plan is to explore the possibility of solving the question of jurisdiction over 
most cybercrime cases. 

The main issue in a jurisdiction based on the location of the act is that a cybercrime case 
may involve multiple places. It is significant to determine the place where the computer is 
from which the most direct command was sent, such as the location of the computer from 
which the intrusion command was made, the location of the computer from which the illegal 
contents and viruses were published, and the location of the computer from which the 
command for a distributed denial-of-services attack was made. This is in fact an alternative to 
the jurisdiction based on the location of the act, in which tools of the act are identifiable. 
Generally, this location is most closely linked to the perpetrator, and it is convenient to collect 
evidence and arrest the suspect. But if the victims are concentrated in a certain place, for 
example the attack is targeted at information systems of a web site, a server, an institution, or 
even a State, the more convenient way is to hold the perpetrators liable at the location where 
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the victims are situated. 

In intrusion cases, there must be a computer used in the offence, or alternatively, there 
must be an IP address. Even if the perpetrator uses the dynamic IP address, or conceals the 
real IP address, it is not completely impossible to trace back the real location. 
Notwithstanding this, the process may turn out to be more complicated, and the cost may be 
more expensive. 

In content- or security-related offences, if the owner of the web site, manager, 
administrator, and perpetrator is an identical figure, jurisdiction based on the computer from 
which the direct command was made is possible. If they are different, according to the 
principle of individual liability, it is necessary to find the perpetrator in the location of the 
computer from which the direct command was made. 

In distributed denial of services attacks, if thousands of computers are manoeuvred so as 
to launch attacks, it is far from easy to determine the location of the relevant jurisdiction. 
Most of these computers may belong to innocent third parties. Therefore, the location of the 
computer from which the command was sent must be identified. There may be one location or 
more locations subsequently or simultaneously. The principle should be to establish 
jurisdiction through any one of the locations. If the crime is committed by multiple 
perpetrators in many locations, the jurisdiction should once again be coordinated. 

The registration place of a web site can be an alternative to nexus of active nationality, 
that is, the nationality of the corporation. In cases of web sites providing obscene materials, or 
gambling services, jurisdiction established on this basis can avoid the loophole where the 
perpetrator escapes jurisdiction on ground of his personal nationality. If an individual in State 
A registers a web site in State B, and as a result the residents in State C are victimized, State B 
should hold the individual liable. In this case, the location of the server is difficult to 
determine. However, when the substantial location of the web site is where it was registered, 
jurisdiction over this offence should be directed to the registration location. 

It is possible for the perpetrator to escape the law of the state of his nationality, and 
register the web site in a state that does not criminalize the act. In this case, the only feasible 
way is to the coordinate laws between these states. If it is impossible to coordinate laws -as in 
most cases, and the state of registration does not prosecute the case according to its own law, 
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the jurisdiction can also be established according to the passive nationality. 

Whatever the situation, state sovereignty should be respected according to the general 
rule of international law. The problem should only be solved through negotiation. 

In cases of the provision of illegal services, the location of the bank account used to 
receive payment should also be a nexus. The essence of illegal services is to make money, 
while the key step in making the money is to receive the payment. Therefore, the location 
where the payment is received is critical in establishing jurisdiction. Receiving money is a 
part of the criminal act, and has direct link with the perpetrator. Although there is a possibility 
that payment may pass through many countries, the final account must be located in one or 
more specific states. Jurisdiction based on these locations is significant. If it is impossible for 
this state to prosecute, it remains feasible to apply the jurisdiction of passive nationality. 

In the case of online sales of goods, jurisdiction should be based on the nexus of location 
where the controlled articles are situated. In the online transaction of legal goods, there is a 
deposit location and a consignment location, usually involving individuals who are directly 
responsible for the transaction. If other liable persons are traceable, the case can be 
investigated or prosecuted by the authorities of the state where the act has been committed or 
the state of nationality. If they are not traceable, the individuals directly involved in the 
consignment of the goods should be investigated so as to find more clues. The goods should 
also be sealed and distrained. If this state cannot investigate on grounds its own law, 
jurisdiction according to the passive nationality or protection jurisdiction should be applied. 

In cyber terrorist cases and other crimes prescribed in international law, the 
establishment of universal jurisdiction is inevitable. A kind of super-national jurisdiction is 
also possible where dual criminality is not the prerequisite as in traditional criminal law. 
Regionally, the Convention on Cybercrime requires member parties to establish a jurisdiction 
sufficient to hold most of the offenders liable for their activities which are prohibited by the 
Convention. A similar treaty is the UN Convention against Trans-national Organized Crime, 
which offers great potential for enhanced cooperation among countries with respect to the 
implementation of anti-money laundering measures inevitably related to the abuse of 


computer networks. 
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11.8 Conclusion 


Because of the wide existence of cybercriminals and the lack of legal consensus, 
cyberjurisdiction is becoming a problem that legislation and law enforcement must face. The 
challenge is to create rules that work smoothly across local, national, and international 
boundaries. 

In order to rebuild the basis for jurisdiction, countries have passed laws or make 
precedents to cover cybercrime under domestic power. As far as the expanding of the 
principle of territorial jurisdiction is concerned, theoretical and practical efforts have been 
made to create new jurisdictional links between the power of the authorities and the events. 
The dissertation evaluates the theory of web site locus jurisdiction and the theory of the 
limited expansion of the principle of territorial jurisdiction. On the other hand, significant 
efforts have also been made to establish new jurisdictional principles, including theory of the 
new sovereignty, and the theory of international space. 

However, all these efforts are limited in the scope of their application. A comprehensive 
consideration of factors needed for solving the issue of jurisdiction over cybercrime is 
discussed in this chapter, with the purpose for establishing the grounds for a jurisdiction 
based mainly on traditional criminal-law theory and according to different situations in 
cybercrime cases. Practically speaking, traditional legal framework may have the potential to 
extend its domain to cyberspace with respect to jurisdiction. For example, the Penal Code of 
Finland prescribes that where “there is no certainty of the place of commission, but there is a 
justified reason to believe that the offence was committed in the territory of Finland, it is 
deemed to have been committed in Finland.”*!* 

In shifting the emphasis of jurisdiction over cyberspace from a territoriality-dependent 
crime scene to a territoriality independent crime scene, a comprehensive scheme should be 
drawn up to reach full coverage of the complicated situations. Successful trans-border 
prosecutions have proved that law enforcement is not without resources when there is an 


urgent call for international assistance, regardless of state boundaries. One of the more 





34 Penal Code of Finland (39/1889), Chapter 1, Section 10 (4). 
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striking examples is the Operation Predator operation. Since 9 July 2003, the U. S. 
Immigration and Customs Enforcement (ICE) have launched the Operation Predator 
programme to investigate paedophiles, human traffickers, international sex tourists, and 
individuals who trade in child pornography. The achievements of the ICE have been 
approximately 7,000 arrests of individuals in the U. S. and 13 other countries as a result of 
information provided by the ICE itself.°!° 

Jurisdiction is not the only factor, but it is the most important one necessitating 
international cooperation. However, one of the prior premises for the resolution of the 
jurisdictional problem is the harmonization of substantive law. The next chapter will give a 


brief sketch of the international efforts to harmonize cybercrime law. 





a, 8. Immigration and Customs Enforcement, Austrian Authorities Act on ICE Leads; Execute 120 


Search Warrants in Massive Child Pornography Probe, 13 June 2005. Retrieved 15 March 2007, from 
http://usinfo.state. gov/gi/Archive/2005/Jun/14-475154.html 
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CHAPTER 12. INTERNATIONAL ACTIONS: HARMONIZING LEGAL SYSTEMS 
IN THE NETWORKED CRIME SCENE 


12.1 Introduction 


Traditionally, crime and punishment are largely local, regional, or national. Today, many 
differences confronting us are associated with the transnational character of cybercrimes. It is 
therefore important to have international legal instruments ready to serve anti-crime efforts. 

This chapter looks at international harmonizing efforts to fortify the legal battle against 
cybercrime, categorizing the actions into four aspects: professional law-enforcement efforts, 
regional efforts, multi-national efforts, and global international efforts. Subsequently, the 
chapter also categorizes the international actions according to the subject-matters into 
additional aspects, including the promotion of security awareness at both international and 
national levels, the harmonization of legislation, coordination and cooperation between 
law-enforcement agencies, and direct anti-cybercrime actions. The chapter will also examine 
the nations’ attitudes toward the Convention on Cybercrime. Based on the analysis, the 
chapter will briefly evaluate the effectiveness of previous attempt at international 


harmonization. 


12.2 From domestic legislation to international harmonization 


As we have seen in Chapter 11, people usually are impressed by the illusory overlap 
between Internet space and international space. Notwithstanding the fact that information 
systems are linking continents, islands, residents and communities into a giant virtual 


network, states and areas preserve their traditional sovereignty. McConnell International’s 
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metaphor (2000, p. 8) said that: “In the networked world, no island is an island.” At this 
turning point, the globally connected Internet has made cybercrime a trans-border problem. 
The “international dimension” (Wasik 1991, pp. 187-201), “trans-national dimension” 
(Sofaer and Goodman 2005) or “global dimension” (Grabosky 2004, pp. 146-157) of 
cybercrime is universally perceived. While law is always territory-based, the tool, the scene, 
the target, and the subject of cybercrime are all boundary-independent. Domestic measures 
will certainly be of critical importance but not sufficient for meeting this worldwide 
challenge. International coordination and cooperation are necessary in fighting offences 
commonly prohibited by every country. 

Many international organizations have been making efforts to harmonize actions within 
their forums. Many authors have also been pursuing research on international harmonization 
from different standpoints and for different goals; for example, Sieber (1996, 1998), United 
Nations Crime and Justice Information Network (UNCJIN) (1999), Police Commissioners’ 
Conference Electronic Crime Working Party (2000), Sofaer and co-workers (2000), Putman 
and Elliott (2001), Schjolberg (2005), and so on. Although information about the basic facts 
of international harmonization that these research studies deal with is the same, different 
knowledge can be drawn from different thinking. For the purpose of convenient 
summarization within this chapter, I categorize the international harmonization actions into 
the following groups: professional organizations, regional organizations, multi-national 
organizations, and global organizations (See Table 3). Many other valuable international 
actions have simply not been considered due to the limit of this study (it is hardly possible to 
assume that studies on cybercrime can cover all useful international actions of international 


organizations at all levels). 


Table 3 Categories of International Harmonization Concerning Cybercrime 
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12.3 Professional efforts of the International Criminal Police Organization 


(Interpol) 


Many international organizations qualify for professional organizations, because their 
goals and activities are focused on certain specific issues; these organizations include Interpol, 
the International Telecommunications Union, etc. However, professional efforts here 
primarily mean substantial actions in the field of cybersecurity protection and cybercrime 
prevention. Although some other organizations also greatly contribute to coordinating 
cybersecurity protection, their emphasis is not necessarily on the law. By this standard, this 
section only analyses the actions of the International Criminal Police Organization 
(Interpol).*!° 

As an international law-enforcement organization with 184 members, Interpol started 
to tackle computer crime very early, coordinating law-enforcement agencies and legislations, 
in regard to which Interpol made efforts to improve counter-cybercrime capacity at the 
international level. A 1981 survey of members on cybercriminal law recognized dilemmas in 
application of existing legislation (Schjolberg 2004). Based on the recognition of the legal 
gaps between countries, and gaps between the legal framework and criminal phenomena, 
Interpol expanded its task to both law enforcement and legal harmonization. 

Currently, there are four working parties within the framework of Interpol, comprising 
African, American, Asia-South Pacific and European Working Parties on Information 
Technology Crime. Besides these groups, a Steering Committee for Information Technology 
Crime was established in order to harmonize the different regional working-party 
initiatives.°'’ Considering the already-harmonized legislation as the prerequisite for the 
coordinated law enforcement, the African Working Party agreed upon “the project on 
legislation and comparative law existing in the Africa with a view to having more African 


states co-signing and/or ratifying the Council of Europe Cybercrime Convention.” *' 





*!© For a general analysis of Interpol as “a world crime-fighting organization that has puzzled three 


generations of scholars, law-enforcement officers, and legislations,” see Fooner (1989). 
*!” See Interpol web site for detailed introduction to the functions and activities of these working 


parties and the steering committee, at 
http://www. interpol. .net/Public/TechnologyCrime/WorkingParties/Default.asp 
318 +p: 

ibid. 
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Compared with the situation mentioned in the conclusion of Chapter 8 (see Section 8.5), this 
is a distinct step forward. Apparently, legal harmonization is one of Interpol’s important tasks 
in working towards an effective law-enforcement environment. 

In regard to law enforcement, Interpol has provided a technical guidance in cybercrime 
detection, investigation and evidence collection. The Interpol Information Technology Crime 
Investigation Manual was compiled by the European Working Party on Information 
Technology Crime.” ” Compared with the substantive and procedural law harmonization of 
today’s Convention on Cybercrime, the Manual developed a technological law-enforcement 
model to improve the efficiency of combating cybercrime. 

Along with efforts in law enforcement on cybercrime, Interpol also takes distinct actions 
to prevent cybercrime, cooperating with credit-card companies to combat payment fraud by 
building a database on Interpol’s web site (Police Commissioners’ Conference Electronic 
Crime Working Party 2000, p. 64). As one of the necessary cooperation projects at the 
international level of law-enforcement, cybercrime and other trans-border crimes are 
specially dealt with by Interpol in gathering and sharing information. In addition, Interpol is 
making efforts to establish a network to for harvesting information relating to activities on 


the Internet.°”° 


12.4 Regional efforts 


There are many regional international organizations, with a narrow or broad coverage of 
states, more or less making efforts to maintain cybersecurity and harmonize international 
measures to combat cybercrime. This section will introduce only four of these organizations, 
which have taken typical actions in combating cybercrime. 

(i) The Asia-Pacific Economic Cooperation (APEC) 

In the Asia-Pacific region, APEC coordinates its 21 member economies to promote 


cybersecurity and to tackle the risks brought about by cybercrime (APEC 2003). APEC has 





319 sp: 
ibid. 
*°° Interpol, Interpol press release, CPN02/00/COMandPR, 5 February 2001. 
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conducted a capacity-building project on cybercrime for member economies in relation to 
legal structures and investigative abilities, where the advanced APEC economies support 
other member-economies in training legislative and investigative personnel.*”! 

After the 9/11 attacks on the U. S., the APEC Leaders issued a Statement on 
Counter-Terrorism, condemning terrorist attacks and considering it urgent to reinforce 
collaboration at different layers to fight against terrorism. The Leaders called for reinforcing 
APEC activities to protect critical infrastructure.” 

The Telecommunications and Information Ministers of the APEC economies issued the 
Statement on the Security of Information and Communications Infrastructures and a 
Programme of Action in 2002,°” supporting measures taken by members to fight against 
misuse of information. The Senior Officials’ Meeting has made a recommendation which 
designates six areas that can serve as the foundation for APEC’s endeavour for cybercrime 
prevention, comprising legal development, information sharing and cooperation, security and 
technical guidelines, public awareness, training and education, and wireless security. 324 The 
Ministers and Leaders of APEC have made a commitment to “endeavour to enact a 
comprehensive set of laws relating to cybersecurity and cybercrime that are consistent with 
the provisions of international legal instruments, including the UN General Assembly 
Resolution 55/63 and Convention on Cybercrime by October 2003.”°”° 

In response to this call from the leaders, a survey of laws was carried out and a summary 
was made of the responses from member economies received in 2003 (See E-Security Task 
Group 2003). The economies proposed corresponding projects in information-security task 
groups. For example, the U. S. proposed a project in the e-Security Task Group of the 
Telecommunications and Information Working Group. The first phase of this project was a 


meeting of cybercrime experts from around the region. The meeting was held from 21-25 





*°! Cybercrime Expert Group, Proposal, Doc no: telwg29/ESTC/12, APEC Telecommunications and 
Information Working Group, 29" Meeting, 21-26 March 2004, Hong Kong, China. 
322 APEC Leaders Statement on Counter-terrorism, APEC Economic Leaders’ Meeting, Shanghai, 21 
October 2001. 
*°3 APEC, Recommendation by the APEC Telecommunications and Information Working Group 
(TEL) to APEC Senior Officials (SOM) for an APEC Cybersecurity Strategy, 2002/CSOM/052, 
Concluding Senior Officials Meeting, Los Cabos, B.C.S., Mexico, 21-22 October, 2002. 

ibid. 
°° Cybercrime Expert Group, Proposal, Doc no: telwg29/ESTC/12, APEC Telecommunications and 
Information Working Group, 29th Meeting, Hong Kong, China, 21-26 March 2004. 
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July, 2003 in Bangkok, Thailand, and was attended by over 120 delegates from 17 economies. 
The objectives of the meeting were to assist the economies to develop the necessary legal 
frameworks; to promote the development of law-enforcement capacity; and to strengthen 


326 
In 


cooperation between private and public sectors in addressing the threat of cybercrime. 
the conference, the experts present agreed that every economy needed a legal framework 
including one for substantive and procedural law, and for the law and policies of 
inter-economies cooperation. They confirmed the role of international instruments, 
particularly the Convention on Cybercrime. They also emphasized jurisdictional cooperation, 
law-enforcement construction, and the capacity building of the investigators.*”” 

In 2005, The sixth APEC Ministerial Meeting on the Telecommunications and 
Information Industry passed the Lima Declaration, “encouraging all economies to study the 
Convention on Cybercrime (2001) and to endeavour to enact a comprehensive set of laws 
relating to cybersecurity and cybercrime that are consistent with international legal 
instruments, including UN General Assembly Resolution 55/63 (2000) and the Convention 
on Cybercrime (2001).”**8 However, due to the great difference between member economies 
within APEC, the development toward unified legal instruments has not been too satisfactory. 
Although some economies have claimed that their laws have been completely consistent with 
the Convention, and some other economies were taking actions to implement provisions 
similar to the Convention, many other countries have quite different legal systems or have no 
law criminalizing cybercrime. 

Efforts are still to be made in the forum of APEC to address cybercrime. The U.S. 
proposed the Judge and Prosecutor Cybercrime Capacity Building Project in 2006 in order to 
develop a curriculum devised by government and private sector experts; to translate the 


curriculum into domestic languages; and to train the trainer (judges and prosecutors).*”” 





°° See APEC, Cyber Security Workshop Summary, 2003/SOMIII/ECSG/021, Electronic Commerce 
Steering Group Meeting Phuket, Thailand 15-16 August 2003. 

*°7 APEC, Conference on the Strengthening International Law-enforcement Cooperation to 
Prosecute Cyber Criminals, Hackers, and Virus Authors, Media Release, Bangkok, 25 July 2003. 

*°8 Article 26 of Lima declaration, The 6th APEC Ministerial Meeting on the Telecommunications and 
Information Industry (TELMING, 1-3 June, 2005, Lima, Peru). 

°° APEC, 2006 Budget — Operational Account Project: TEL 04/2006 — Judge and Prosecutor 
Cybercrime Capacity Building Project, 2006/BMC1/012-6, Budget and Management Committee 
Meeting I, APEC Secretariat, Singapore, 29-30 March 2006 
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(ii) The Council of Europe (CoE) 
The Council of Europe has been working to tackle rising international anxiety over the 
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risks brought about by the automatic processing of personal data since the early 1980s." In 


1981, the Council of Europe implemented the Convention for the Protection of Individuals 


with Regard to Automatic Processing of Personal Data,**! 


which was revised according to 
the Amendment to Convention ETS No. 108 Allowing the European Community to Accede, 
15 June 1999, and the Additional Protocol to Convention ETS No. 108 on Supervisory 
Authorities and Trans-border Data Flows, 8 June 2000. The Convention recognized the 
desirability “to extend the safeguards for everyone’s rights and fundamental freedoms, and in 
particular the right to the respect for privacy, taking account of the increasing flow across 
frontiers of personal data undergoing automatic processing,” and the necessity “to reconcile 
the fundamental values of the respect to privacy and the free flow of information between 
peoples” (Preamble). The Convention covers the protection of personal data in both the 
public and private sectors. 

Chapter II of the Convention established basic principles for data protection, one of 
which is data security (Article 7), covering the prohibition of accidental or unauthorized 
access, alteration and dissemination. 

The expert committee appointed in 1985 published Recommendations of 1989 and 1995, 
addressing the issues of substantive laws and procedural law in this area respectively.*” 

Recommendation R. No. (89) 9 recognized the importance of an adequate and quick 
response to the new challenge of computer-related crime, which often has a trans-border 
character, and recommended the governments to consider the Report on Computer-Related 
Crime drawn up by the European Committee on Crime Problems. 

Then there is Recommendation No. (95) 13 Concerning Problems of Criminal Procedure 


Law Connected with Information Technology. The Recommendation recognized that 


information systems may also be used for committing criminal offences, evidence of criminal 





°° For example, on 13 September 1989, the Committee of Ministers of the Council of Europe adopted 
Recommendation R (89) 9 of the Council of Europe on Computer-Related Crime, which contained 
guidelines for national legislatures. 

3! ETS No. 108, 26 January 1981. 

33° See Recommendation No. R. (95) 13. 
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offences may be stored and transferred by these systems, while the criminal procedure law of 
member states often do not provide for appropriate powers to search and collect evidence in 
these systems during a criminal investigation. The appendix to the Recommendation lays 
down the principles for criminal procedure laws on search and seize, technical surveillance, 
obligations to co-operate with the investigating authorities, electronic evidence, use of 
encryption in research, statistics and training, and international cooperation. 

In 1997, the Council of Europe began drafting the Convention on Cybercrime, which 
was open for signature in 2001 and took effect in 2004.77? In 2003, the Additional Protocol 
to the Convention on Cybercrime Concerning the Criminalization of Acts of a Racist and 
Xenophobic Nature Committed Through Computer System (ETS NO. 189) was implemented. 
The Convention addresses substantive law, procedural law, jurisdiction, and international law 
in the field of cybercrime. The Convention is a historic landmark in the combat against 
cybercrime.*** It is expected that the Convention will have a deep impact on the legal reform 
relating to cybercrime in its 46 member states and one candidate state. The detailed analysis 
on this Convention will be dealt with in infra Section 12.8. 

In the 2004 Conference on Cybercrime, the Council of Europe called for “wide and 
rapid” access to and “effective implementation” of the Convention on Cybercrime, raising 
awareness in the highest political level, and encouraging cooperation between public and 
private sectors.**° 

On the 2005 Conference on Cybercrime, the Council of Europe expressed concern about 
the fast-increasing threats and serious social and economic results of cybercrime including 
terrorist activity on the Internet, noting that most cybercrime is international cybercrime, 
recognized the need for effective and compatible laws and tools to enable efficient 
cooperation to combat cybercrime, calling upon public and private cooperation, and 
encouraging access to the Convention on Cybercrime.**° 


In 2006, the Council of Europe launched a Project against Cybercrime, intended to 





333, See Council of Europe, Convention on Cybercrime, CETS No.185, status as of 20 March, 2006. 

3 For more detailed discussion. See infra Section 6. 

*°° Council of Europe, Conference on The Challenge of Cybercrime, 15-17 September 2004, Palais de 
l'Europe, Strasbourg, France. 

°° Council of Europe, Cybercrime: A Global Challenge, A Global Response, Casa de America, 
Madrid, Spain, 12-13 December 2005, CYB (2005) Conclusions. 
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grant assistance to the development of national legislation in line with the provision of the 
Convention, training of judges, prosecutors and law-enforcement officers, and training of 
criminal justice officials and 24/5 contact points in international cooperation. 

(iii) The European Union 

The EU took a series of actions to tackle cybercrime through impelling a coordinated 
law enforcement and legal harmonization policy. Civil liberty has also been a focus in the 
anti-cybercrime field. 

In 1995, the European Parliament and the Council endorsed Directive 95/46/EC of 24 
October 1995 on the protection of Individuals with regard to the Processing of Personal Data 
and on the Movement of Such Data. Section VIII of the Directive specifically deals with 
confidentiality and security of processing of personal data. The Directive applied to 
protection of natural persons (Article 2(a)). The scope of the Directive was limited to the 
processing of personal data entirely or partially by automatic means (Article 3-1). The 
Directive required that appropriate technical and organizational measures have to be 
implemented to protect personal data against illegal destruction, alteration, access and other 
illegal forms of processing (Article 17-1). 

The Directive required the Member States to provide administrative and judicial 
remedies for the victim (Article 22), and provided for the compensation liability of (Article 
23) and sanctions on (Article 24) the transgressor. 

In 1997, the European Parliament and the Council endorsed Directive 97/66/EC of 15 
December 1997 concerning the Processing of Personal Data and the Protection of Privacy in 
the Telecommunications Sector. The Directive was aimed at furthering the protection 
implemented in Directive 95/46/EC, and providing for the harmonization of the Member 
States’ provision to attain an equivalent level of protection (Article 1-1). The Directive 
extended the protection of legitimate interests to legal persons (Article 1-2). 

The application scope of the Directive was limited to the processing of personal data 
relating to the provision of publicly available telecommunications services in the public 
telecommunications networks; particularly via the ISDN (Integrated Services Digital 
Network), and public digital mobile networks (Article 3-1). As the Directive 95/46/EC is 
concerned with automatic processing systems, Directive 97/66/EC has emphasized the 
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linkage with the telecommunications network. The Directive provides requirements directly 
targeted at the service providers (but not member states) “to take appropriate technical and 
organizational measures to safeguard the security of its services.” (Article 4-1). The Directive 
requires the Member States to implement the regulations ensuring the confidentiality of 
communications, prohibiting listening, tapping, storage or other kinds of interception or 
surveillance of communications by unauthorized natural and legal persons (Article 5). The 
Directive limited unsolicited communications (Article 12), which covers automatic calling 
systems or facsimile machines, but not e-mails. 

On 27 November 2001, a plenary session took place in Brussels of the EU Forum on 
Cybercrime, organized by the EC,**’ and where the primary discussion was about the 
retention of traffic data (EU Forum on Cybercrime 2001). 

In April 2002, the Commission of the European Communities presented a Proposal for a 
Council Framework Decision on Attacks against information systems, and this proposal 


5.°°8 The Framework Decision 


constitutes the case of the Decision of 24 February 200 
criminalized the offences of illegal access to information systems (Article 2), illegal system 
interference (Article 3), illegal data interference (Article 4), and instigation, aiding and 
abetting of these offences or attempt at them (Article 5). The Framework Decision only dealt 
with attacks through unauthorized access to or interference with information systems or data. 
According to the Decision, illegal access can only be constituted when the illegal activities 
are targeted intentionally against an “information system with specific protection measures in 
place and [the attacks] must be for economic gain.” (Article 2) 

The Commission further considered the future possibility of “specific protection 
measures” (Proposal for a Council Framework Decision on Attacks against information 
systems) to broadband networks, saying that, “it is necessary that criminal law covers 
unauthorized access to their systems even though there may not be adequate technical 
protection for their systems.” (ibid.) Thus, concerning the interference with information 


systems, it is constituted by serious “hindering” or “interrupting” of the functioning of 





ae European Commission, EU Forum on Cybercrime, Plenary session, Brussels, November 27, 2001. 
*°8- Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information 
systems, Official Journal L 069, 16/03/2005 P. 0067 — 0071. 
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information systems by “inputting, transmitting, damaging, deleting, deteriorating, altering, 
suppressing or rendering inaccessible computer data” (Article 3). 

This Framework Decision does not specify penalties for illegal access to information 
systems and instigation, aiding and abetting and attempting of these offences, but requires 
member states to take the necessary measures to ensure that they are punishable by effective, 
proportional and dissuasive criminal penalties (Framework Decision, Article 6.1). The 
Decision specifies the penalties for illegal system interference and illegal data interference as 
punishable by criminal penalties to a maximum of at least one to three years of imprisonment 
(Article 6.2). As for the “aggravating circumstances”, the criminal draws a maximum of at 
least two to five years imprisonment (Article 7.1). These aggravating circumstances include 
an organized attack, and an attack that has “caused serious damages or has affected essential 
interests” (Article 7.2). Criminal organization is defined as a “structured association, 
established over a period of time, of two or more persons, acting in a concerted manner with 
a view to committing offences.”*”? 

It is worth noting that the matters mentioned in the Framework Decision can also be 
found in the Convention on Cybercrime.*”° After revision of the legislation required by the 
Convention, the national law (of Finland) will also meet the demand of the Framework 
Decision.**! Today, comprised of 27 member states and three candidate countries, the EU 
remains active in addressing cybercrime. 

(iv) The Organization of American States (OAS) 

As other regional organizations, the Organization of American States (OAS) with 35 
member states is also highly concerned about the issue of cybercrime. Through its forum for 
the Ministers of Justice or of the Ministers or Attorneys General of the Americas (REMJA), 
the OAS has long recognized the central role that a sound legal framework plays in 
combating cybercrime and protecting the Internet. Such recognition has prompted the 


REMJA to recommend the creation of the Group of Governmental Experts on Cybercrime 





*° Article 1, Joint Action 98/733/JHA of 21 December, 1998 adopted by the Council on the Basis of 
Article K.3 of the Treaty on European Union, Official Journal L 351, 29 December, 1998. 
0 HE 153/2006, Detailed Justifications, 2. Framework Decision and Valid Legislation. 
341 s- 
ibid. 


(The Group of Experts) in March 1999.*” The Group of Experts has been devoted to 
analysing cybercrimes, to inspecting the domestic cybercrime law, and to finding ways of 
cooperating in the Inter-American system of combating cybercrime. The Group of Experts 
has held four meetings.*”? 

The Meeting of the Ministers of Justice or of the Ministers or Attorneys General of the 
Americas (REMJA IID*™* has urged member states to take steps to endorse cybercrime law; 
harmonize cybercrime laws to make international cooperation possible. The Meeting of the 
Ministers of Justice or of the Ministers or Attorneys General of the Americas (REMJA v)** 
has recommended that member states evaluate the advisability of implementing the principles 
of the Convention on Cybercrime, and consider the possibility of acceding to that 
Convention. 

In 2004, the Fourth Plenary Session of the Organization of American States General 
Assembly passed the resolution on “Adoption of a Comprehensive Inter-American Strategy 
to Combat Threats to Cybersecurity: A Multidimensional and Multidisciplinary Approach to 
Creating a Culture of Cybersecurity, ” proposing that “An effective cybersecurity strategy 
must recognize that the security of the network of information systems that comprise the 


Internet requires a partnership between government and industry.”*° 


12.5 Multi-national efforts 


Unlike professional organizations that are limited to a more specific field of concern, and 


unlike regional organizations that are limited to a more specific location of states, the 





*” Meeting of Ministers of Justice or of Ministers or Attorneys General of the Americas (REMJA ID), 


Chapter V. 

*8 The First Meeting and Second Meeting were held in May and October 1999, separately, the Third 
Meeting in June 2003, the Fourth Meeting in February 2006, all in Washington D. C. U. S. See OAS 
web site, at http://www.oas.org/juridico/english/cyber_experts.htm 

“4 Meeting of Ministers of Justice or of Ministers or Attorneys General of the Americas (REMJA IID), 
Chapter IV. 

* Meeting of Ministers of Justice or of Ministers or Attorneys General of the Americas (REMJA V), 
Appendix I. 

6 AG/RES. 2040 (XXXIV-O/04), Adopted at the fourth plenary session of the Organization of 
American States General Assembly held on 8 June 2004 in Quito, Ecuador. 
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multi-national international organizations care for affairs of a broader range and take actions 
in a broader territorial environment. This section recounts the efforts of three of the 
multi-national organizations. 

(i) The Commonwealth of Nations 

The Commonwealth of Nations took a direct and timely action in the harmonizing laws 
of its member states. In October 2002, the Commonwealth Secretariat prepared the “Model 
Law on Computer and Computer Related Crime” (Bourne 2002, p. 17). Within the 
Commonwealth’s 53 member countries, the “Model Law” has had a wide influence on 
domestic legislation. Through this model law, the Convention on Cybercrime has become one 
of the legislative choices in substantive criminal law, covering the offences of illegal access, 
interfering with data, interfering with computer systems, illegal interception of data, illegal 
data, and child pornography. 

Compared with the Convention on Cybercrime, the Model Law expanded criminal 
liability —so as to include reckless liability- for the offences of interfering with data, 
interfering with computer systems, and using illegal devices. The Model Law also covered 
the problem of dual criminality by stating that the act applied to an act done or an omission 
made by a national of a state outside its territory, if the person’s conduct would also 
constitute an offence under a law of the country where the offence was committed. This may 
lead to prosecution or extradition based on dual criminality, but not extradition as it is 
provided in the Convention on Cybercrime.**’ 

Some of the member countries of the Commonwealth have made efforts to draft 
domestic law according to the model law, such as Bahamas and St. Lucia.*? In Barbados, 
Belize, and Guyana, the Model Law is being considered as a guide to the enactment of 
similar legislation. * However, in many other countries of the Commonwealth, there is still 
no special legislation for cybercrime.*”” 


Besides impelling legislation within the forum, another focus of the Commonwealth is 





7 Legal and Constitutional Affairs Division Commonwealth Secretariat, Report on Law and 


Technology Workshop for the Caribbean, Kingston, Jamaica, 3-7 November, 2003, published in 
January, 2004. 

“8 ibid. 

” ibid. 

ibid. 
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on mutual assistance in law enforcement between Commonwealth member states and 
between Commonwealth member states and non-Commonwealth states. In the 2005 Meeting 
of Commonwealth Law Ministers and Senior Officials, the Expert Working Group proposed 
10 recommendations for member states to adopt suitable measures for improving domestic 
law enforcement and trans-national assistance, and encouraged member states to sign, ratify, 
accede to and implement the Convention on Cybercrime as a basis for mutual legal assistance 
between Commonwealth member states and non-Commonwealth states.**! 

(ii) The Group of Eight (G8) 

Since the mid-1990s, the Group of Eight (G8) has created working groups and issued a 
series of communiqués from the leaders and actions plans from justice ministers. At the 
Halifax Summit 1995, the Group of Seven recognized “that ultimate success requires all 
Governments to provide for effective measures to prevent the laundering of proceeds from 
serious crimes, to implement commitments in the fight against trans-national organized 


» 3° The group released 40-point set of “recommendations to combat Trans-national 


crime. 
Organized Crime efficiently” at the G7/P8 Lyon Summit. The recommendations urged the 
states to increase the level of criminalization, prosecution, investigation, and international 
cooperation, while acknowledging in their entirety human-rights protection.*»° 

At the Denver Summit 1997, the Group of Eight proposed to strengthen their efforts to 
realize the Lyon recommendations, by concentrating on punishing high-tech criminals, and 
promoting the governments’ technical and legal abilities to react to trans-territorial computer 
crimes.*** The Group of Eight Meeting of the Justice and Interior Ministers of December 
1997 responded to the increased international movement of criminals, organized crime, and 


terrorists and their use of the ICT. *° Ministers noted, in a Statement of Principles 


Concerning Electronic Crime, that, while criminal legislation was a national responsibility, 





35! Commonwealth Secretariat, The Harare Scheme on Mutual Assistance in Criminal Matters: 
Possible Amendments to the Scheme and Discussion of Interception of Communications and Related 
Matters, Meeting of Commonwealth Law Ministers and Senior Officials, Accra, Ghana, 17-20 
October 2005. Annex 1: Summary of recommendations of the Expert Working Group, R4, p. 5. 

352 G7, Chairman’s Statement, 17 June 1995, Halifax Summit, 15-17 June 1995. 

*3 P§ Senior Experts Group, 40 recommendations to Combat Trans-national Organised Crime, Paris, 
12 April 1996, Reference: 1996CIla5. 

354 GB. Communiqué, Denver, 22 June 1997, Denver Summit of the Eight, 20-22 June 1997. 

*°° December 1997, the G8 Meeting of Justice and Interior Ministers. 
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the character of the information networks obstructed countries from operating traditional 
power over this problem. Domestic legislations have to be complemented by international 
cooperation to criminalize the abuse of the networks and harmonize the investigative 
action.**° 

At the subsequent summits, the Group of Eight repeatedly expressed their concern about 
cybercriminality. At the Okinawa Summit, the Okinawa Charter on Global Information 
Society adopted the principle of international collaboration and harmonization of cybercrime. 
“In order to maximize the social and economic benefits of the information society”, the 
Group of Eight agreed on principles and approaches for the protection of privacy, the free 
flow of information, and the security of transactions.*”’ 

The Charter recognized that the security of the information society necessitated 
coordinated action and effective policy responses.*°* 

(iii) The Organization for Economic Cooperation and Development (OECD) 

With its 30 member countries, the OECD addressed computer security for several 
decades. In 1983, an expert committee was appointed by the OECD to discuss computer 
crime phenomena and criminal-law reform (Schjolberg and Hubbard 2005). Offences against 
confidentiality, integrity or availability listed in the 1985 OECD document included 
unauthorized access, damage to computer data or computer programmes, computer sabotage, 
unauthorized interception, and computer espionage.*’ In December 1999, the OECD 
officially approved the Guidelines for Consumer Protection in the Context of Electronic 
Commerce (Department of Justice 2000, p. 27), representing member states’ consensus in the 
area of consumer protection for e-commerce: consumers should be protected in e-commerce 
not less than the protection they enjoyed within traditional commerce (Department of Justice 
2000, p. 27). The OECD adopted Guidelines for the Security of Information Systems and 


Networks in July 2002, calling on member governments to “establish a heightened priority 





356 sy. 

ibid. 
G8, Okinawa Charter on Global Information Society, Okinawa, 22 July 2000. 
358 sp. 

ibid. 
Computer-Related Crime: Analysis of Legal Policy, ICCP Series No. 10, 1986. Cited in UN, 
Crimes related to Computer Networks: Background Paper for the Workshop on Crimes Related to the 
Computer Network, Tenth UN Congress on the Prevention of Crime and the Treatment of Offenders, 
Vienna, 10-17 April 2000, A/CONF. 187/10. 
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for security planning and management”, and to “promote a culture of security among all 
participants as a means of protecting information systems and networks” (OECD 2002a, Part 
I). 

The Guidelines established nine principles, including awareness, responsibility, 
response, ethics, democracy, risk assessment, security design and implementation, security 
management, and reassessment (OECD 2002a, Part III). Because of the nature of the 
guidelines and the distance from the legal actions, practical endeavours were left to the 


member countries to make. 


12.6 Global efforts by the United Nations (UN) 


In a certain sense, there are numerous global organizations. Nevertheless, the UN is 
capable of being identified as the only global organization that forms a forum of its 191 
member states with fuller functions. Compared with professional organizations, the UN does 
not limit its activities to certain domains. Compared with regional organizations, the UN does 
not limit its activities to certain states (in the field of cybersecurity protection and cybercrime 
prevention). The actions of the UN have unique advantages in coordinating international 
positions. 

In 1985, General Assembly Resolution 40/71 of 11 December called upon Governments 
and international organizations to take action in conformity with the recommendation of the 
commission on the legal value of computer records of 1985, in order to ensure legal security 
in the background of the broadest possible use of information processing in international 
transactions. 

In 1990, the General Assembly of the UN adopted the Guidelines Concerning 
Computerized Personal Data Files. It proposed to take appropriate measures to protect the 
files against both natural and artificial dangers. The Guidelines extended the protection of 
governmental international organizations (Part B). 


“The International Review of Criminal Policy: United Nations Manual on the 





36 See UN General Assembly Resolution A/RES/51/162 (30 January 1997). 
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Prevention and Control of Computer-related Crime” called for further international work and 
presented a proper statement of the problem. It stated that at the international level, further 
activities could be undertaken, including harmonizing substantive law, and establishing a 
jurisdictional base.*”! 

The Background Paper for the Workshop on Crimes Relating to the Computer Network 
at the Tenth UN Congress on Prevention of Crime and Treatment of Offenders proposed two 
levels of definition of cybercrime: In the narrow sense, that is, the strict computer crime, had 
to refer to “any illegal behaviour directed by means of electronic operations that targets the 
security of computer systems and the data processed by them.” In the broad sense, that is, 
computer-related crime denoted “any illegal behaviour committed by means of, or in relation 
to, a computer system or network, including such crimes as illegal possession, offering or 
distribution information by means of a computer system or network.’”* 

The UN General Assembly has endorsed several resolutions dealing with its desire to 
witness progress regarding this issue. According to information provided by Schj@berg and 
Hubbard (2005), checking Resolutions 55/63 (2000) and 56/121 (2001) on Combating the 
Criminal Misuse of Information Technology, the value of the Group of Eight Principles was 
noted, and states were urged to consider these principles; checking Resolutions 53/70 (1998), 
54/79 (1999), 55/28 (2000), 56/19 (2001), 57/53 (2002), 57/239 (2002), 58/32 (2003), and 
58/199 (2003), all calling on member states “to promote the multi-lateral consideration of 
existing and potential threats in the field of information security, as well as possible measures 
to limit the threats.”°° These resolutions have the same motive to improve the cybersecurity 
awareness at both the international and the national levels. 

In Resolution 55/63, the General Assembly noted the value of the following measures to 
combat computer misuse: 

(a) To ensure the elimination of safe havens for cybercriminals; 


(b) To coordinate cooperation in the investigation and prosecution of cybercrime; 





*6! United Nations Crime and Justice Information Network (1999), Paragraph 295. 

°© UN, Crimes Related to Computer Networks: Background Paper for the Workshop on Crimes 
Related to the Computer Network, Tenth UN Congress on the Prevention of Crime and the Treatment 
of Offenders, Vienna, 10-17 April 2000, A/CONF. 187/10, p. 5, paragraph 14. 

*®3 See UN web site. 
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(c) To exchange information for fighting cybercrime; 

(d) To train and equip law-enforcement personnel to address cybercrime; 

(e) To protect the security of data and computer systems from cybercrime; 

(f) To permit the preservation of and quick access to electronic data pertaining to 
particular criminal investigations; 

(g) To ensure mutual assistance regimes for the timely investigation of cybercrime and 
the timely gathering and exchange of evidence; 

(h) To remind the general public of the requirement to prevent and combat cybercrime; 

(1) To design information technologies to help to prevent and detect cybercrime; 

(j) To take into account both the protection of individual freedoms and privacy and the 
preservation of the capacity of Governments to fight cybercrime. 

The General Assembly invited States to consider the measures in their endeavour to 
fight the criminal misuse of information systems, and decided to maintain the question of the 
criminal misuse of information technologies on the agenda of its future session. 

In Resolution 56/121, the General Assembly invited states to consider the work and 
achievements of the Commission on Crime Prevention and Criminal Justice and of their 
international and regional organizations when developing national law, policy and practice to 
prevent cybercrime. 

The resolution emphasized the value of the measures set forth in Resolution 55/63, and 
again invited states to take them into account in their efforts to combat the criminal misuse of 
information technologies. However, the General Assembly decided to postpone consideration 
of this subject, pending work considered in the plan of action against high-technology crime 
of the Commission on Crime Prevention and Criminal Justice. 

It is necessary to mention that, besides the advantages, the disadvantages of the UN’s 
actions are also striking. The UN is a multifunctional international organization, which in 
some sense has malfunctioned over the years. Focusing on the current topic, it can be said 
that the consensus on cybercrime in this forum remains a preliminary one. The diversified 
legal systems of members of this gigantic organization hinder the conclusion of a fruitful 


agreement. 
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12.7 The focuses of international harmonization 


From the above presentation on international actions in anti-cybercrime areas, we can 
further summarize the major themes of these international organizations. These aspects 
mainly include the promotion of security awareness at both the international and national 
levels, the harmonization of legislation, coordination and cooperation in law enforcement, and 
direct anti-cybercrime actions. 

(1) The promotion of security awareness at the international level 

The typical actions in this aspect have been taken by the UN. The UN’s two Resolutions 
(55/63 (2000) and 56/121 (2001)) on Combating the Criminal Misuse of Information 
Technology recalled the importance of the Group of Eight principles, and urged states to take 
these principles into account. Some other resolutions also called on member states to promote 
the multi-lateral consideration of existing and potential threats in the field of information 
security, as well as promising measures to limit these threats. Other international 
organizations also made efforts to promote security awareness at the international level. For 
example, after the 9/11 incidents, the APEC Leaders called for a reinforcing of APEC 
activities to protect critical infrastructure. 

(11) The promotion of security awareness at the state level 

All international organizations have made efforts to promote security awareness at the 
domestic level. For example, APEC guided its member states and regions to promote 
cybersecurity and tackle the threats of cybercrime. APEC also conducted a project for 
developed states to support other states in training personnel. The Shanghai Declaration of 
2002 supported measures to fight against misuse of information. 

(iii) Harmonization of legislation 

Legal harmonization has been a major emphasis on the work of various international 
organizations. Harmonization in Europe started in the 1980s and a recent achievement was the 
Convention on Cybercrime. Other international organizations have also endeavoured to attain 
legal harmonization. Early in 1981, Interpol surveyed the criminal laws of member states so 
as to explore defects in the existing legislation, and made efforts to harmonize the laws. 
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Today, Interpol’s African Working Party on Information Technology Crime Projects is trying 
to persuade the African states to sign and ratify the Convention on Cybercrime. APEC also 
took steps to survey the laws and to encourage economies to enact comprehensive laws 
consistent with the Convention on Cybercrime and the pertinent UN resolutions. The EU 
Framework Decision of 2002 specifically granted the member states the responsibility of 
criminalizing the offences of illegal access to and illegal interference with information 
systems. The REMJA urged states to criminalize cybercrime and harmonize the member 
states’ laws, and consider the possibility of joining the Convention on Cybercrime. The 
Commonwealth Model Law on Computer and Computer Related Crime expanded the 
criminal liability of the Convention on Cybercrime so as to include reckless liability. Through 
this Model Law, the Commonwealth made efforts to criminalize cybercrime in the member 
countries. The Group of Eight Paris Conference discussed the public and private interact with 
the objective of implementing an international penal code for fighting cybercriminality. The 
Okinawa Charter on Global Information Society further consented to international 
collaboration and harmonization concerning cybercrime. 

(iv) Coordination and cooperation in law enforcement 

Interpol’s European Working Party on Information Technology Crime compiled the 
Computer Crime manual to provide technical guidance in law enforcement. The Convention 
on Cybercrime also covers cooperative mechanisms in law enforcement against cybercrime. 
The EU discussed about the retention of traffic data in 2001. The Ministers of Justice or 
Ministers or Attorneys General of the Americas (REMJA)’s Group of Experts on Cybercrime 
have been devoted to discover cooperation ways in the Inter-American system to combat 
cybercrime. The Group of Eight reviewed existing cooperation mechanisms and gaps, and 
made attempt to discover ways to fill these gaps. The Group urged the states to increase 
criminalization, prosecution, investigation, and international cooperation. The Denver Summit 
proposed to promote governments’ technical as well as legal abilities to act in response to 
trans-territorial computer crimes. The Birmingham Summit called for agreement on a legal 
framework for evidence preservation and protection of privacy, and for agreements on the 
international sharing of evidence so as to struggle more effectively against a broad scope of 
crimes, including cybercrime. 
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(v) Direct anti-cybercrime actions 

The direct international anti-cybercrime actions comprise two fundamental aspects: 
cybercrime prevention and cybercrime investigation. They have been more valuable before 
international harmonization in legislation could come into being. Different organizations have 
taken individual measures with specific emphases. For example, Interpol directly cooperated 
with credit-card companies to fight against payment fraud. The OECD’s Guidelines for 
Consumer Protection in the Context of Electronic Commerce 1999 emphasized the protection 
of consumers in e-commerce as well as that in traditional commerce. Guidelines for the 
Security of Information Systems and Networks 2002 called on member governments to 
“establish a heightened priority for security planning and management”, and to “promote a 
culture of security among all participants as a means of protecting information systems and 


networks”. 


12.8 From conversation to the European Convention 


As one of the most outstanding achievements, international actions bred a comparatively 
effective implementation: the Convention on Cybercrime and its Protocol. The general 
purpose of the Convention is laid down in the Preamble as to deter crimes against the 
confidentiality, integrity and availability of information systems and the misuse of such 
systems. The purpose of the Protocol is to supplement the provisions of the Convention on 
cybercrime on the criminalization of acts of a racist and xenophobic nature committed 
through information systems (Protocol, Article 1). 

The Convention has been widely accepted as a landmark, providing for both the 
substantive and procedural legal frameworks, both the domestic and international level of 
countermeasures, so as to achieve higher effectiveness in fighting against cybercrimes.° - 

Articles 2-12 of the Convention have required nations to criminalize the activities of 
illegal access to data and computer systems; illegal interception; data and systems 


interference; misuse of devices that can be used to enact the aforementioned crimes; 





* Convention on Cybercrime, Preamble, Paragraph 9. 
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computer-related forgery and fraud; content-related offences including child pornography; 
copyright crimes; and attempt, aiding or abetting. Article 13 of the Convention also 
establishes corporate liability, and sanctions and measures for these offences. Articles 3-7 of 
the Protocol requires nations to criminalize the activities of disseminating racist and 
xenophobic information through information systems. Also to be criminalized is racist and 
xenophobic motivated threat, racist and xenophobic insult, and in respect of genocide or 
crimes against humanity, denial of their existence, gross criminalistic approval or justification 
of them, and the behaviour of aiding and abetting them. 

The Convention provides two constituent elements for cybercrimes. First, the 
Convention establishes criminal liability on the subjective element of intent. Sometimes, the 
constitution of certain offences requires elements such as intent to procure “economic 
benefit” in computer-related fraud provided by Article 8. Second, the Convention establishes 
criminal liability on the objective element on act “without right” in all offence provisions. 
The problems of what is an act committed intentionally, what is an act with right and without 
right, are all left to national law interpretation. 

The Convention allows domestic laws to provide additional constituent elements, and 
provides the possibility of a reservation.*”° Apparently, the Convention fully respects the 
decision-making of member states on the matter of criminal policy. As a result, we have good 
reason to worry that this diversified implementation will decrease the consensus on the 
harmfulness of conducts and increase the possible obstacles to international actions. The 
negative effect of this kind of provision is expected to diminish the effectiveness of 
prolonged expensive international negotiation for an agreement, although the provision itself 
is exactly one of the contents negotiated and agreed upon. 

The Convention has also been criticized by civil liberties groups concerned that it will 
undermine individual privacy rights and that it expands too greatly surveillance powers, and 
is fundamentally unbalanced. As Taylor (2004) pointed out, the Convention contains 


comprehensive, far-reaching powers of surveillance, search, and seizure, while lacking a 





© Convention on Cybercrime, Articles 2-12. 
°° Thid, Articles 40 and 42. 
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367 The basic concerns in the 


criterion for the protection of privacy and limitation of power. 
field of human rights are the over-expansion of the states’ power of surveillance, and 
over-criminalization of citizens’ behaviour. Before information systems have been completely 
developed, the states would strictly take this borderless system under control; those who use 
information systems would voluntarily enter the tight legal encirclement. For those who use 
information systems before these legal instruments, they are to accept externally imposed 
constraints; while for those who use information systems after these provisions, they are born 
into an inherent limitation. Both these two groups of users may feel a loss of freedom of 
information. 

Despite the anxiety mentioned above, the Convention has unquestionably had some 
influence on the worldwide consensus in relation to the predicament of cybercrime. We are 
capable of seeing that the Convention will become one of the important steps towards a 
broader international accomplishment. 

Firstly, some countries have taken practical measures to ratify the Convention. The total 
number of ratifications and accessions is 19 countries, including one non-member state of the 
Council of Europe, the U. S., with 24 countries (including three non-member states of the 
European Council, Canada, Japan and South Africa) having signed the Convention, not 
followed by ratifications.°* The treaty has entered into force in only a small number of 
countries, representing a small proportion in terms of land area and population. However, it is 
still an important step towards a broader consensus: “A little is better than none.” 

Secondly, besides successful endeavours, countries, including most signatory countries, 
are still on their way to ratifying the treaty. The Council of Europe Conference on 
“Cybercrime: a Global Challenge, a Global Response” in 2005 “strongly encourage States to 
consider the possibility of becoming Parties to this Convention in order to make use of 
effective and compatible laws and tools to fight cybercrime, at domestic level and on behalf 


99369 


of international co-operation. The treaty has come into force in some of the Nordic 





°°” Taylor, G. The Council of Europe Cybercrime Convention: A Civil Liberties Perspective, 23 July 


2004. Retrieved 15 March 2007, from http://crime-research.org/library/CoE_Cybercrime.html 

° See Council of Europe, Convention of Cybercrime, CETS No. 185, Chart of Signatures and 
Ratifications, 19 February 2007. 

°° Council of Europe, Conclusions of the Council of Europe Conference on “Cybercrime: a Global 
Challenge, a Global Response”, Madrid, 12-13 December 2005. 
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countries, including Denmark, Iceland, and Norway, but Finland and Sweden are still seeking 
ratification though they were both countries of signature on the date opening for signature in 
2001.°”° 

However, this process has proved hard without the expected number of countries 
ratifying in the five-year period after the Convention was open to signature. The pressure 
against not ratifying the treaty coming from inside the countries seems to be a greater 
obstacle than the differences over the drafting of the document. A significant obstacle comes 
from the difference of legislative styles between the Convention and the individual countries. 
Many of the valid provisions in current Finnish law do not need revision.*”' Whether the 
original Finnish Penal Code (which includes quite a few revisions concerning offences 
relating to data processing) is capable of dealing with all of the offences provided by the 
Convention has not been tested in judicial practice. But the Finnish legislature will have to 
add some new provisions to the Penal Code, if it wants to cope with the Convention. 
Expressly, provisions concerning the offence of interference with and gross interference with 
the information processing systems, the offence of possession of instruments for cybercrime 
(covering the computer viruses), the liability for inchoate cybercrime, and for corporate 
liability, and so forth must be taken im 

The critical challenge of the Convention on Cybercrime to conventional international 
legal cooperation lies in the absence of a demand for the double criminality criterion. Since 
this criterion is in decline, individual countries are far from implementing it in domestic law, 
either. In accepting the Convention, individual countries will therefore have to revise 
domestic laws in the relevant area.*”* 

Some other countries are seeking to remodel the Convention so as to provide a 
prohibition on the types of conducts and to create procedural and international mechanisms 


for serving successful investigations and prosecutions of crimes. The flexibilities of the 





°° See, for example, the Governmental Proposal HE 153/2006 of Finland, which aims at bringing 
the Convention on Cybercrime and the European Union’s Framework Decision on Attacks against the 
Information System into force in Finland and making relevant revision in domestic provisions 
according to the Convention (HE 153/2006, 3. Objectives and Central Proposals). 
*"! HE 153/2006, Detailed Justifications. 
ts HE 153/2006, General Justifications, 3. Objectives and Central Proposals. 

ibid. 
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Convention may have a positive effect in leaving to member states the alternative of using 
different methods and languages in their domestic law. This may actually lead to a wider 
application of the Convention so as to cover more and diversified legal systems. While the 
U.S. has asserted that its own domestic law dos not need revision, South Africa has 
implemented substantial criminal provisions in line with the Convention. Japan is considering 
filling the gap between its domestic law and the Convention. At least, among the APEC 
economies, Taiwan, the Philippines, and Hong Kong are considering taking the Convention 
as the basis on which they will carry out their own legislative amendments. 

Some international organizations are propelling cooperation in promoting the member 
states’ access to the Convention. As mentioned above, in the framework of Interpol, the 
African Working Party on Information Technology Crimes is working to promote domestic 
legislation and adherence to the Convention. APEC, the EU, and the REMJA V of the OAS 
have also taken measures to spread the Convention to its member states. 

There are also efforts to develop cybercrime legislation beyond the Convention. As 
mentioned above, the Commonwealth’s model law represents a breakthrough in extending 
criminal liability to the mens rea of offences of interfering with data, interfering with 
computer systems, and illegal devices so as to include reckless liability. Some of the 
Commonwealth’s member states are also on their way towards legislation that will model the 
Convention and model domestic law. 

Finally, in fact, most countries, particularly countries where cybercriminals are usually 
left at large, have taken no action in spite of the importance of the Convention. These 
countries have very specific interests in maintaining what may be considered “criminal” in 
other countries but are “legal” in their own countries, as far as web sites, services, or even 
sales of goods online are concerned. The potential cybercrime perpetrators, regardless of 
whichever nationality they belong to, also seek asylum in such countries in order to escape 
punishment by countries that are seeking to extend their judicial arms to deal with cases 
committed inside their sovereign territory and committed by their citizens outside their 
territory. 

Although the Convention on Cybercrime has been attracting increasing attention at both 
the domestic and international levels, it is necessary to point out that, once the Convention 
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was in documentary form, the enthusiasm and efforts of other international entities towards a 
higher degree of international harmonization of legislation have been to some extent 
weakened. This situation reflects neither the purpose, nor the intended side effect of the 
Convention. However, a ready instrument must have its negative influence on the otherwise 
unsettled disputes of the problems of cybercrime deterrence. Regrettably, both the advantages 
and disadvantages of the Convention will bring about a more cautious discussion and a better 
plan will be discouraged from being implemented. At least, the similar but different schedules 
for international treaties, in either broader or narrower scope, have seen an interruption with 
the passing of the Convention. The Convention thus becomes not only a mutual compromise 
of member states, but also a turning-point in the knowledge and experiences of cybercrime 
punishment and prevention. 

Traditionally, new legal instruments have usually been the subject of academic 
annotation immediately after its implementation, while the legislature is usually reluctant to 
change existing legal instruments. These two factors further determine the unfortunate fate of 
the better and newer proposals, particularly proposals having more or less better elements 
than the implemented one. In a word, we can say that classics were good, but classics hinder 
better classics; consensus are good, but consensus always hinders better consensus: and the 
Convention is good, but it potentially hinders a better convention. 

Although the Convention was also appraised by politicians, such as the U. S. President 
George W. Bush, as “providing for broad international cooperation in the form of extradition 
and mutual legal assistance”, and containing “safeguards that protect civil liberties and other 
legitimate interests” (Bush 2003), the effectiveness of the Convention’s cooperative 
framework is subject to reasonable doubt without a majority of countries’ access to the 
agreement (Goldsmith 2005, p. 4). Authors such as Archick (2004) have proposed that the 
Convention’s arm would not be long enough to reach the countries that are regarded as a 
“haven” for cybercriminals: attacks are launched from those countries, but the countries do 
not join the agreement. Consequently, the countries with law and without law, or being the 
member and being non-member of the Convention, have to encounter mutual conflicts. The 
situation confronting international society is obviously still one of the tardiness of the 
acceptance of existing instruments and the lack of a universal agreement. 


336 


12.9 Limited progress in international harmonization 


Over the years, the international co-operation on cybercrime “has been very active and 
comprehensive” (Pihlajamaki 2004, p. 286). The international level of consensus on criminal 
law has, however, not been achieved. Previously, the criminalization of war crimes, crime 
against peace, crimes against humanity, genocide, torture, and other crimes have been the 
successful examples. The application of pertinent agreements in specific courts has 
demonstrated that an international forum can acquire certain achievements prior to legislation 
at the national level. Traditional international criminal law has aimed at harmonizing 
substantive law and coordinating procedural law on offences that have existed in society since 
the coming into being of humankind.*”* Presently, what the countries are eager to realize is 
an international agreement on offences with a history of only several decades. The anxiety for 
success, the absence of trial practice, the lack of an accumulation of experience and 
knowledge, the alienation between the legislature and general public, and the different 
interests between the various countries, all deliver an international consensus in its lowest 
form. It is inevitable that during the drafting stage and particularly after the Convention on 
Cybercrime has been opened for signature, many commentators have published their 


evaluation and criticism. *” 


Combined with other progress made in_ international 
harmonization, the most important unsolved problem may be the limited participation and the 
limited consensus. 

Firstly, international harmonization has hitherto been primarily the forum of the 
developed countries. The working mechanism of an effective international treaty is for all of 


the signatory countries to take effective action and preserve a common theatre of operation. 


The treaty is not aimed at any third party and thus the third party is not restrained by it. The 





° The origin of human beings has been an unsolved theoretical problem. Genesis theory and 
evolutionary theory might be the most influential arguments. 

7° For an overall evaluation on the Convention on Cybercrime, see Jones (2005). The Convention 
was also subject to criticisms from individuals and organizations, such as the American Civil Liberties 
Union and others. 
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participating countries of the Convention on Cybercrime are limited, representing only a 
limited population. Along with the development of the Internet globally, the number of 
cybercrimes will be correlated with the population base of Internet penetration, and the global 
population base. Most of the present international harmonization measures have not been 
incorporating the countries with the largest population. This will make the measures less 
effective. Considering the characteristics of cybercrime, the “safe haven for criminals” can 
only be eliminated when almost all the sovereign states have access to one agreement and 
almost all the online users are subject to the power of law enforcement. Although an 
international document can be modelled by member states when making domestic laws, the 
expectations should not be raised too high in respect of a timely update at a similar pace when 
it comes to international measures. 

Secondly, another limitation is that a lower level of consensus has been reached. Unlike 
traditional offences in international criminal law, which have rarely been penalized in 
domestic law, cybercrime was initially devised in the legislation at the national level. In many 
countries, domestic legislation on offences such as genocide, crime against peace and similar 
types of crime did not happen before the countries were subject to the obligation of 
international treaties. The situation of cybercrime is that countries that have already enacted 
laws assisted or forced the countries that have not enacted laws to enter a consensus. As a 
whole, international cooperation in preventing cybercrime is more sluggish than domestic 
legislation; its impact on domestic legislation is, nonetheless, undeniable. Domestic laws 
should be amended according to international instruments so that the measures provided in 
the international instruments can be effectively carried out. An agreement on a wider scope of 
issues in cybercrime is also necessary so as to ensure effective law enforcement. However, 
such an agreement is still lacking. The efforts of various international organizations should be 
integrated into a more unified action. 

Thirdly, there is, strangely, a tendency towards pluralization on the international 
harmonization. In regulating or deregulating the information community, different interest 
groups stay at different standpoints. In criminalizing and decriminalizing the online activities, 
different players hold different opinions. Different organizations propose countermeasures for 
the benefit of a certain number of their member states. Yet other organizations oppose any 
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kinds of plans for imposing constraints on the free use of information systems. The 
mechanism is that while one interest group is anxious about the misuse of information 
systems, another group may concentrate on the side-effect of anti-misuse actions. Various 
international harmonization measures are full of a trade-off of interests and a contrast of 
powers. This marathon process of negotiation has inherited the inherent style of international 
actions. 

Fourthly, another tendency is the regularization of international harmonization. The effect 
of international harmonization is less significant compared with the efforts. The role of the 
UN as a universal international organization seems limited to arranging an international treaty 
in this area. If the United Nation’s frequent “call” does not motivate member states to 
legislate on cybercrime, a universal agreement would be a better alternative in promoting 
consensus. The UN may have the opportunity to incorporate the consensus reached in other 


fields into the above-mentioned unified action. 


12.10 Conclusion 


Globalization does not mean globalized welfare at all. Globalized information systems 
accommodate an increasing number of trans-national offences. The network context of 
cybercrime makes it one of the most globalized offences of the present and the most 
modernized threats of the future. We can take actions in two different ways to resolve this 
problem. One is to divide information systems into segments bordered by state boundaries. 
The other is to incorporate the legal system into an integrated entity obliterating these state 
boundaries. Apparently, the first way is unrealistic. Although all ancient empires including 
Roman, Greece, and Mongolia became historical remnants, and giant empires are not 
prevalent in current world, the partition of information systems cannot be an imagined 
practice. Information systems become the unique empire without tangible territory. 

Offences occurring in information systems are not likely to receive punishment from this 
system. Rather, they are punishable by the territory-based states that they cross. It is 
increasingly stringent and necessary to establish an international cooperation system for 
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punishing cybercrime. Various international organizations have taken actions to resolve the 
problem in different forums and at different levels. 
The Convention on Cybercrime is acknowledged as a landmark in the sphere of the 


international harmonization of cybercrime law. ete 


However, apart from the fact that it 
represents a significant step forward, more states will have to sign the Convention and abide 
by its mandates in order to serve as a deterrent. International harmonization centred on the 
Convention is obviously limited and must necessarily be extended to more participating 
member states with an even wider scope of issues. The final effect should be achieved only 
through a universal agreement on combating cybercrime. The UN may have higher potential 
to implement such universal measures. However, we should not expect an instantaneous 
reaction from any of the international organizations, because not too much attention and 
interests of these international organizations are concentrated on the problem of crime or 
precisely, on cybercrime. While these organizations are devoted to dealing with the more 
important international affairs, threats against a critical information infrastructure will 
become more serious, until they are listed at the top of these organizations’ schedule. 
Consequently, the development of an international level of consciousness and an international 
level call for a national level of consciousness are still the grounds for effective actions. The 
need is to reassess and renew as necessary the present international legal frameworks, 
offering a forum for broader international discussion expressing an outlook towards 
increasing and advancing international law-enforcement cooperation among the national 
authorities. This development should consider the influences of the novel and emerging 
issues in respect of international law-enforcement cooperation, with recommendations on 
capacity-building, which should show an equal concern for the situation in countries at 


different stages of development so as to avoid a futureless future of information chaos. 





7° See the Council of Europe Cybercrime Conference, Conclusions, 15-17 September, 2004 
High-level Conference on the Challenge of Cybercrime. 
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CHAPTER 13. CONCLUDING RECOMMENDATIONS 


13.1 Dilemmas of cybercrime control 


The possibility of disseminating information in large quantities and at high speed serves 
both legitimate and illegitimate purposes. Cybercrime can be seen as a by-product of 
cyberspace, which is the product of information and communications technology. The current 
information systems are insecure systems, while the present Internet is an insecure network. 
Crime is a phenomenon that easily emerges but is difficult to eliminate. The phenomenon of 
cybercrime is the silhouette of the information society. The Internet services lack of 
controllability and become the breeding ground of cybercrime, as a response to which many 
governments have enacted specific legislation criminalizing invasive and destructive 
activities targeted at information systems. Because cybercrime, committed with the assistance 
of the globally-connected computer networks, can easily cross the territorial borders, it is 
unknown but broadly accepted that different countermeasures may create a paradise for 
cybercriminals. Great challenge has been posed for cybercrime control (Grabosky 2000, pp. 
9-16). Consequently, a critical step will be the elaboration of common international rules 
concerning these crucial factors so as to fill the legislative and jurisdictional gaps. 

Technology should be the preferential choice for eradicating cybercrime. Cyberspace 
can be considered as the expansion of society, while cybercrime is the extension of criminal 
phenomena. Although cyberspace is not entirely independent, there is the possibility and even 
necessity for autonomy within the independent factors. Technicians are constantly inventing 
technological countermeasures to deal with issues of cybersecurity, but an increasing number 
of commentators argue that the techniques of security cannot keep pace with techniques for 
discovering loopholes in information systems and for launching attacks on information 
systems. It is impracticable to solve the whole problem merely by technology. 

Cybercrime mobilizes law. Criminal law and other laws, professional codes, industrial 
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self-discipline and user ethics form guidelines, though their functions are quite varied as 
between the different countries. Most of the modern democratic countries do not use 
penalties as primary means for correcting human behaviour. Criminal law remains the main 
tool. However, if criminal law cannot respond to the reality of crime, if law cannot be enacted 
to impose a suitable liability on harmful activities, and if law cannot be enforced by qualified 
personnel, the law will unquestionably be ineffective. In fact, in the current technological 
environment, legislature and law enforcement can hardly adjust their activities in response to 
the new situations. Criminal law becomes a law the principle and stability of which hamper 
its inherent functions. This is contrary to the nature of law. 

Even some high-profile law-enforcement officers can fail in detecting offences, or 
misuse their posts to serve political ambitions, or fabricate fictitious cases. As some of their 
failure and misconduct become better known, the placing of trust in them will be 
accompanied by great risks. Apart from this concern, law-enforcement agencies, even in 
normal situations, have found that it is much more complex to detect, investigate, and convict 
cybercriminals than traditional criminals. In the networked world, it has become increasingly 
uncomplicated for criminals to avoid conviction by acting from a country where a conduct is 
neither criminalized nor prosecuted. International cooperation and legal harmonization are 
necessary for reducing investigation costs and increase enforcement effects. The Convention 
on Cybercrime is therefore used by governments in order to harmonize their cybercrime laws 
and increase cooperation and coordination between national law enforcements agencies. 
However, there is an especially long road before perfect harmonization is achieved. 
Unification of substantive criminal law, harmonization of jurisdiction, coordination, and 
cooperation in cybersecurity protection and cybercrime prevention, will all contribute to 
lower the cost of deterrence. 

As we mentioned above, the insufficiency of the existing legal framework and the 
inefficiency of detection and conviction imply that high costs will be involved in 
cybercriminal law enforcement. Seneca stated that: “He who does not prevent a crime when 
he can, encourages it.” (Lucius Annaeus Seneca, Troades CCXCI) The problem at present is: 
“He who does not prevent a crime when he cannot, also encourages it.” In addition to the 
technological obstacles, the limits imposed by state borders and the difficulties in establishing 
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international cooperative mechanisms render it burdensome to combat cybercrime effectively. 
The low quality of law and its enforcement finally results in injustice and inequality, 
destroying the long established principle of legality. An inefficient and ineffective legal 
framework for control over cybercrime will run the risk of creating new unfairness in the 
information age. The information society does not definitely lead to a harmonious world. 
Although pervasive information enables people of all circles to be more informed, and to 
work more efficiently and more effectively, it raises multiform questions. The distributive 
disequilibrium of information of various values between groups results in unbalanced power 
of control as well as anti-control forces. The deficiency of law and the prevalence of 
lawlessness may become two of the most notorious negative factors. 

From the standpoint of the above analysis, a worldwide unified model substantive and 
procedural cybercriminal law would be ideal but not practical. Regional international 
cooperation has a better basis and can be used to improve the legislation of participating 
member countries. Negotiation and cooperation among the developed, developing and 
transition countries provide the most important forum for eliminating the refuge for 
cybercriminals. 

The above discussion implies that law is not likely to be perfect. At the same time, we 
must also note that even if there is perfect law, it is not the perfect solution. Law must be 
enacted by some persons against some other persons. The absence of either a subject or an 
object in law enforcement would leave the law ineffective. Law enforcement has also 
frequently been disappointed with the effect of traditional crime prevention. The situation of 
cybercrime has nothing more special than its traditional counterparts in improving the 
prevention effect. Criminals have escaped detection regardless of the existence of law and of 
the police. We can be convinced by many findings and conclusions about traditional crime 
control programmes, for example, the situation in the following comments described by 
Duckett: 

“Gun control has not worked...The only people who have guns are criminals. We have 
the strictest gun laws in the nation and one of the highest murder rates. It’s quicker to pull 
your Smith and Wesson than to dial 911 if you're being robbed.” (Duckett, Washintong Post, 
22 December 1996) 
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Particularly, the private sector of the information society should not wait for any 
external remedies for their cybersecurity. Direct and instant approaches to protecting their 
information assets and online business is self-protection, upon which coordinative and 
cooperative mechanisms can be used as the ex post remedies. Practically, the function of 
judicial activities is to inflict liability on parties involved in the creation of insecurity, even 
though the supposed general deterrence of penalty can also forestall potential criminals from 
behaving detrimentally. 

Neither law nor technology can do everything, even in their duties. The more 
appropriate strategies for the control of cybercrime require an arrangement of law 
enforcement, technological and market-based solutions. Obviously, even if we combine all 
these measures, the problem would still not be solved. This recognition has become a 
consensus among cybersecurity and cybercrime researchers. For example, McConnell 
International (2000, pp. 1 and 7) stated that “self-protection” is inadequate to secure the 
cyberspace, and the law is necessary to play its role; however, “law is only part of the 
answer.” These dilemmas of maintaining cyberspace order necessitate the adoption of 
comprehensive measures. Pamela Samuelson (1989) mentioned that: “The law may not be 
the most precisely sharpened instrument with which to strike back at a hacker for 
damages...but sometimes blunt instruments do an adequate job.” Law in itself will hardly be 
able to act as complete substitutes for security measures. The law will hardly have enough 
deterrent power if the majority of people are unaware of its range and sense. Cybercriminals 
habitually consider that they are problem-solvers other than lawbreakers (Leiwo 1995, p. 50). 
The traditional hacker even thought the supposed “freedom of information” means that all the 
computers and networks should be open to every user. Under their codes, rules or ethics, the 
legal framework that traps the unauthorized intruders in information systems becomes an 
injustice. To awaken public awareness and consciousness concerning privacy and security, 
the task falls on the shoulder of education, and the market. In the end, all these measures are 


necessary, but none of them can work in an optimistic manner alone. 


13.2 The primary factors benefiting cybercrime 
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From the analysis and discussion in this dissertation, it is possible to draw several 
fundamental conclusions on why cybercrime exists and spreads. The explanation on the 
causes of crime has produced many criminological theories. Grabosky, Smith, and Dempsey 
(2001, pp. 2-3) turned to Cohen and Felson’s routine-activity theory (1979) and described an 
online presence of motivated offenders and suitable targets, and online absence of capable 
guardians. The factors involved in the dynamic interaction of cybercrime and the peripheral 
environment may be even more numerous. The opportunities for crime, the motivation of 
criminals, and lack of deterrence make it safer to commit cybercrime than traditional crime, 
and make it more beneficial to commit crime than to be engaged in legal occupation. I 
consider the following as the primary causal factors of the above phenomenon: 

(1) Cybercrime is the natural extension and irresistible tendency of criminal phenomenon 
in information systems. As Chapter 8 partly shows, to explore the reasons why there is 
cybercrime, it is inevitable to identify the root causes and evolution of crime. Crime has 
existed since ancient times, will exist eternally, but its nature changes along with the 
development of society. Wherever there are human activities, there will be deviances. As 
Radzinowicz and King pointed out: 

“No national characteristics, no political regime, no system of law, police, justice, 
punishment, treatment or even terror has rendered a country exempt from crime.” (1977, p.3) 

Information systems have been integrated as an inseparable part of society, and the 
traditional social problem will surely settle down in the new world. The inevitable fate of 
information systems can be expected to be similar to all the previously existing new worlds in 
human history. Although types of crime may be different from each other, criminality will 
develop together with an increase in criminal utility. In an information society, crimes are 
naturally symbolized by information. These crimes are committed using information systems, 
abusing information systems, and through information systems. The new crimes inherit the 
genetic characteristics of the old crimes, even though these characteristics may evolve and 
change. Cybercrime is the product of the evolution and change in traditional crimes, being a 
component of the changed criminal system, but not a brand-new creation. People should be 
neither frightened nor be unprepared for such a natural historical phenomenon. 
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(ii) Cyber transgressors and criminals lack a sense of guilt. The lack results from both 
internal and external factors that distort value judgement, that is, the perpetrator’s and the 
public’s ambiguous attitude towards such activities. Bequai (1983, pp. 70-84) brought 
forward the viewpoint of “lack of ethics as a cause of crime,” criticizing society’s “glorifying 
the computer criminals” (p. 72). Cornwall (1987, pp. 134-137) discussed the “lack of moral 
clarity” in the whole white-collar crime. From this aspect, though not all cybercrimes can be 
categorized as white-collar crimes, they have a similarity to white-collar crime. Cyberspace is 
a virtual world, in which there is a lack of social supervision over all conducts; it is in a 
hidden environment and one that is difficult to trace back. At the same time, the police remain 
blind to cybercrime to a great extent. Many perpetrators are even proved to think that the 
crimes they commit using the Internet represents their high intelligence quotient. In addition, 
there are the cases where virus authors and hacking perpetrators are praised and even hired for 
key positions in the information security industry. All this misinformation regarding virtue 
and vice removes the sense of guiltiness of the transgressors and criminals, stimulating the 
criminal mind, obliterating security and insecurity, and confusing the right with wrong. Under 
the control of this kind of consciousness, people are willing to engage in criminal actions, 
unlike most of us whose mental status is against any apparent deviance. Decency and 
deviance are contradictory orientations. 

(iii) Many users have a strong curiosity to access information systems and an intense 
desire for self-manifestation. Chapters 2, 6, and 8 had much to say about how cybercriminals 
become motivated. When the U. S. computers were attacked by Morris, it was recognized that 
“government and commercial experts were less prepared to deal with the worm invasion than 
were students” (Marshall 1988, p. 1121). In order to maintain information security, most 
networks are permitted access only to those authorized or to registered users. The 
unauthorized users are denied access through identity and password checks and other 
access-control mechanisms. However, this often touches the very thing that inspires common 
human nature —curiosity. In the face of the data that hackers cannot access, they develop 
malicious programmes to intrude into the unknown field, or they crack the passwords to probe 


into the closed space driven by curiosity. By cracking the networks defence and accessing 
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information systems, they demonstrate the high level of their technique, and considering this 
process as an intelligent challenge. 

(iv) The low cost of cybercrime and the difficulty in detection and evidence collection 
create incentives for potential perpetrators (see Chapters 3, 4, 6, 7, 8, and 9). The nature of 
high intelligence, trans-territoriality, and high concealment of cyber transgress and 
cybercrime make it difficult to detect and investigate the cases (See Conly 1991; Clark 1996; 
Stephenson 2000; Mandia and Prosises 2003; Mohay and co-workers 2003; Vacca 2005; 
Johnson 2006). Stating from another standpoint, cybercrime surpasses the current capacity of 
public and private regulators to control (Grabosky 2000, p. 2). As for the transgressors or 
criminals, they usually only need to click the mouse or knock the keyboard at home or in the 
office in order to commit the illegality in a short time. The risks and costs are in cybercrime 
lower than those in traditional crime, while the benefits are higher. This cost-effectiveness 
further strengthens the mind of the perpetrator to commit cybercrime. 

(v) A lag of cybersecurity legislation diminishes the striking force against cybercrime 
(see Chapters 8, 9, and 12). From the early days, scholars have recognized the importance of 
legal countermeasures. “The problem of computer crime is, in great part, the failure of our 
laws, jurists, lawyers, and law schools to adapt to the needs of a changing environment.” 
(Bequai 1978, p. 197) Particularly, “the legal establishment has shown a reluctance to meet 
change.” (ibid.) Due to the mere absence of legislation, many famous hackers never received 
corresponding punishments. Some others were questioned or even detained for some time 
before no law can be found appropriate to convict them. There is no universal international 
consensus on what exactly cybercrime is, and who has the capacity to exercise jurisdiction. 
Meanwhile, cyber police have been established only in recent years, and law enforcement is 
still at the testing-stage. In addition to the legal gap, the weak punishments help minimize 
prevention (McConnell International 2000, p. 8). For many scholars, more severe penalties 
are the definite choice for strengthening deterrence, but still others doubt whether it will be 
the “answer” for the virus authors (Vamosi 2003). These doubts diminish the striking power 
against cybercrime, and further reinforce the criminal mind. 

(vi) The insufficiency of cybersecurity management leaves a backdoor for possible 
intrusion (see Chapters 3, 4, 7, and 8). Traditional business security measures were designed 
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to safeguard premises physically and deter perpetrators psychologically, ranging from 
restricted accessibility, removal of outside visibility, and reducing escape possibility, 
particularly guarding the target outside of business hours (Aromaa and Laitinen 1994, pp. 
47-101). Since the management was changed from manual to automatic, management 
consciousness and methods have fallen behind the development of information systems. The 
absence of vigilance (Bequai 1978, p. 15) may derive from the fact that individuals and 
organizations think more about benefits, the convenience and development of the business 
than of security management. The capital and human resources invested in security 
maintenance does not furnish the necessary safeguard. The unauthorized disclosure or 
acquirement of confidential information may be achieved through a “compromised storage, 
handling or disposal of computer devices or electronic data media,” regardless of the 
availability of security safeguards and awareness of governments and businesses about their 


responsibility for protecting the security of information.>”” 


In addition, we never deny the 
technological involvement of various kinds of cybercrimes, but we also think that there is 
some truth in the conclusion that Felson (2002) came to: 

“Most computer fraud is traced not to brilliant hackers but rather to those who leave their 
passwords on top of the desk with their office doors open, or who dump the technical manuals 
in the trash bin, or who used to work somewhere and still access information they shouldn’t.” 
(p.175.) 

(vii) Loopholes in the computers and networks technology expose the system to attacks 
(see Chapters 3, 4, 7, and 8). No operating system is hacking-proof. The malicious 
programmes exploit the loopholes of the operating systems and launch attacks. The security 


measures are often falling behind the activities of the loophole-seekers. In addition, 


sometimes the users do not instantly apply security measures. These factors can be 





°” Sale of Provincial Government Computer Tapes Containing Personal Information, Re, 2006 
CanLII 13536 (BC LP.C.). In this case, personal information was at risk simply through the sale of 
government assets, among which were 41 computer tapes containing thousands of highly sensitive 
records, including medical conditions such as HIV-positive diagnosis, mental illness and 
substance-abuse, thousands of individuals’ names with social insurance numbers and dates of birth, 
details of applications for social assistance, and caseworker entries divulging extremely intimate 
information about people’s lives. Besides, about 22 sold hard drives had not been wiped away, with 
government data accessible. All this happened due to simple mistakes made in good faith by individual 
government employees. 
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summarized as the problem of computers and networks technology. Thus as the critical factor 
of modern society, information systems become the vulnerable target of modern crime. The 
need for security (Bequai 1978, pp. 19-24) remains a critical element in safeguarding 
information systems. 

(viii) The Insufficiency of family and school education and discipline grants juveniles 
more opportunities to abuse computers and networks (see Chapter 6). In cyber transgress and 
cybercrime, juveniles constitute a critical proportion of the perpetrators. The prevalence of 
computers, the Internet, and their use in the home create for parents the important task of 
teaching juveniles to use computers and the Internet correctly. In many countries, parents are 
important figures for the education of their children. But, if many parents do not have much 
computer knowledge when they buy computers for their children, children lose parental 
constraints. Then, the use of computers is an absolute freedom and results in cybercrime. To 
some extent, nonetheless, the families and schools can prevent children from perpetrating 
cybercrime and being victimized in the first place. 

(ix) The functional weakening of traditional social communication disorganizes the 
traditional interpersonal relationship by seeming to require instant communication. The theory 
of social disorganization has been used to explore deeply into social communication (Mowrer 
1942; Elliot and Merrill 1961). Social disorganization may be the consequence of many 
factors. We think that there is a basic reason behind the numerous factors, that is, the 
abundant available information in urban and urbanized regions. Traditionally, the necessity 
for strong interpersonal communication results from scarcity of information. But nowadays 
the residential concentration in an urban area or urbanized area, the development of electronic 
media and telecommunications devices, and the dissemination of free information by various 
means are meant to solve the problem of information scarcity. Under such circumstances, the 
acquirement of information traditionally through interpersonal communication becomes 
insignificant. Upon meeting the need for such information, curiosity drives the Internet users 
to access more information from the international information systems. With the enlargement 
of the incompact online community, the size of the compact offline community is shrinking. 


The vanishing real interpersonal communication and the emerging virtual interaction will 
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reconstruct the form of the community and the criminal types that dwell in it. Cybercrime is 
one of the problematic outcomes of this reconstruction (see Chapters 3, 6, and 7). 

(x) The historical absence of restraint on white-collar employees creates a temporary 
opportunity for insider crime. Although the conception of white-collar crime has a history of 
several decades since Sutherland, public opinion on crime remains focused on violent crimes. 
The direct result from the conventional notion is that white-collar crime is a smaller concern 
in criminal justice than violence. With the deepening of urbanization and the spread of 
information, white-collar digital crime is exploiting the priority to deduce their guiltiness. The 
basic supposition is that information security breakers have been driven by noble-minded 
motives and have disdained to cause harm, and consequently that even where they do cause 
harm, people have conjectured that they are not deliberate and selfish. Involuntary judicial 
neglect, media misleading, and public connivance accelerate the growth of white-collar 
cybercrime (see Chapters 3, 4, 6, and 7). 

Any inquiry would be limited in scale and in result. However, we have recognised that 
the development of the technical network has had great impact on the social network, both 
positively and negatively. While the positive impact tends to strengthen social integration, the 
negative impact impels the disintegration of the society. The two different forces are rewriting 
social phenomena and the social problem. The changing social environment may have quite a 


few problems in coming to term with cybercrime. 


13.3 The primary factors preventing cybercrime 


“Tt is better to prevent crimes than to punish them.” (Beccaria 1764, Chapter 41) 
Prevention of cybercrime is, however, not as simple as typing some commands on a keyboard 
to commit it. Grabosky (2000) recognized that cybersecurity would depend on efforts of a 
variety of institutions and self-help by likely victims (p. 2.). Until now, there has not been a 
unified set of effective measures, although many individuals and organizations have proposed 


numerous recommendations, mostly composed of factors similar to each other but with 


350 


different emphases, such as CoE Recommendation No. R (95) 13 (1995),*”> UNCJIN (1999), 
McConnell International (2000), APEC (2002), etc. McConnell International (2000, pp. 8-9) 
made its recommendations in three categories: firms should protect their networked 
information, governments should enact their cybercriminal law, and firms, governments and 
civil society should cooperate to reinforce the legal infrastructure for cybersecurity. 
Recognizing that there has never been and will never be a panacea to deal with criminal 
phenomena, there are some factors that cannot be ignored in anti-crime actions. In contrast to 
the previous propositions, I shall emphasize the development and maintenance of secure 
information systems, promoting information ethics and law-abiding consciousness, and 
creating sufficient legal incentives and remedies. 

(1) The developing of information systems with a higher quality 

The development of a secure system is a preferential choice among all countermeasures. 
Just as a healthy person can resist diseases, perfect information systems cannot be victimized. 
However, the perfect system does not exist just as no one is perfectly healthy. In strict 
scientific terms, it is not possible to demonstrate a cut-off point between security and 
insecurity. The higher level of security is generally viewed as security, while the lower level 
of security is generally viewed as insecurity. Most cybercrimes relate to the defects of the 
systems. Insecure information systems are like defective products or services, for which the 
producers or providers should be regulated by the law on product-quality control. Secure 
information systems can be acquired through the establishment of industrial standards and 
liability for system quality. In the early years of ICT development, there was more focus on 
usability. With the development of ICT, a standard for higher quality should be adopted to 
ensure security. 

(11) Promoting security awareness 

Cybercrime is merely a serious breach of cybersecurity, which is not ensured because 
information systems have low controllability as discussed in Chapter 3. Online users should 


accept suitable education and training to acquire higher security consciousness. Users are 





78 Council of Europe Recommendation No. R (95) 13 of the Committee of Ministers to Member 
States Concerning Problems of Criminal Procedure Law Connected with Information Technology 
(Adopted by the Committee of Ministers on 11 September 1995 at the 543rd meeting of the Ministers’ 
Deputies) 


direct interest groups in cybersecurity. Social mechanisms relying on cyber police are simply 
not enough to maintain cybersecurity. Therefore, it is important for users to raise their 
law-abiding consciousness, grasp technology to prevent abuses, and enhance their ability of 
self-protection. To a certain extent, the frequent happening of cybercrime results either from 
lack of a law-abiding conscience or from the lack of a self-protective consciousness. To 
educate users is an urgent affair, which should be emphasized at the international level, as the 
WSIS (2003) has proposed: 

“A global culture of cyber-security needs to be promoted, developed and implemented in 
cooperation with all stakeholders and international expert bodies. These efforts should be 
supported by increased international cooperation. Within this global culture of cyber-security, 
it is important to enhance security and to ensure the protection of data and privacy, while 
enhancing access and trade.” (Section B5, paragraph 35) 

Some economists may argue that it is prohibitively costly to educate everyone by a 
specific institution in a specific opportunity at the same time. However, we cannot ignore 
opportunities for the effective spreading cybersecurity knowledge to any size of audience. 

(iii) Raising law-abiding consciousness 

Education for the development of a law-abiding conscience follows a tradition of earlier 
generations, such as Cesare Beccaria.*”” However, law and order in cyberspace has no 
precedent to follow. It remains disputable as to whether cyberspace constitutes the natural 
expansion of traditional society. Consequently, it is still arguable whether traditional laws and 
regulations should be applied to cyber activities, or whether traditional authorities should 
extend their grasp over a new space. The netizens who migrate to this lawless space behave 
unconstrainedly. Under cyber sub-culture, hackers defend themselves by their own codes and 
ethics, refuse to acknowledge the validity of state power, and ignore state jurisdiction over 
information systems. The assumptions of an anarchic state without regulation or of an 
autonomic entity with self-regulation are prevalent among technological supremacists. 
Knowledge and skills make them technical elites on the one hand, ignorance of law and order 
makes them law-breakers on the other hand. However, in history, talent, knowledge and skills 


have never become the excuse for crime. Therefore, education is necessary to raise the 





379 Crime and Punishment, Chapter 45, 1764. 
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netizens’ law-abiding consciousness in cyberspace just as in society. This law-abiding 
consciousness falls mostly into the sphere of ethics as well. The “need for ethical 
management” and “implementing a code” (Bequai 1983, pp. 76-80) has long been recognized. 
Education in this aspect is a long-term and extensive task for many sectors. 

(iv) Developing security technology 

Before any scientific discovery and technological invention are made available to the 
general public, they are controlled in the hands of a few scientists and technicians, regardless 
of the possible impacts. Nothing about security is preferential. Only when incidents of broad 
harm to human beings became apparent did the scientific ethics begin to be emphasized in 
obviously harmful scientific activities. Priority should be given to a swift transition from an 
emphasis on usable technology to the development of a secure technology. The ICT industry 
has opportunities of developing security technology and of enhancing users’ self-protective 
ability. Information systems can only be secured through a constantly updated technology, the 
development of new products, increased self-protection, and the closing of security gaps. 

(v) Security training 

Many factors erode the security protection of information systems. Lack of security 
consciousness and security measures is the most usual reason why users cannot secure their 
system. Users do not have the incentive to adopt security measures unless their systems are 
compromised. The usual examples of active participation in security training take place when 
users suffer losses or when administrative decree forces them to accept training. Users who 
benefit from security training are willing to receive further training. Nevertheless, in practice, 
security training is not always effective if it is operated as a market solution, because private 
trainers have the incentive of gaining pecuniarily from exaggerating risks and dangers, and 
from the effects of their training. Therefore, the training should better be organized by 
qualified institutions licensed by the public authorities. 

(vi) Establishing specific institutions 

Durkheim’s ideas concerning the social division of labour argue for specialized 
organizations in charge of crime prevention. This is because the establishment of institutions 
specialized in many different fields tends to fall into the hand of a bureaucracy. Social 
resources are wasted when many new institutions are established while many old institutions 
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are not disestablished. Cybercrime prevention is different. In fact, many countries have 
established numerous institutions at different levels and on different scales, being affiliated to 
or independent of other institutions. Independent institutions, equipped with their expertise 
and knowledge, would be more effective in reacting against urgent incidents. These 
institutions may take the form of a contact-point such as the 24/ Network designed by the 
Convention on Cybercrime. The Convention on Cybercrime has provided that each party 
should authorize a contact-point available on a twenty-four hour, seven-day-a-week base, to 
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guarantee instant support in investigation and collection of evidence.“ This provision 


requires member states to bear a round-the-clock responsibility for “immediate assistance.” 

(vii) Reasonably monitoring online activities 

Although there are uncertain factors for maintaining law and order in cyberspace, 
criminal behaviour should be punished and prevented. The establishment of cyber police and 
cybercrime reaction forces in many countries meets the demand of security protection. One of 
the goals of a cyber police and of cybercrime reaction forces is to prevent and monitor 
harmful online activities, which usually happen within seconds and leaves no trace. The 
fundamental requirements for cyber police should be profound computing and networking 
knowledge and anti-hacking skills, as well as the potential to follow new developments of 
ICT. Because cybercrime can easily cross state borders, rapid reaction and the mutual 


assistance of cyber police between different countries is vital.** 





*8 Convention on Cybercrime, Article 35 24/7 Network. 

oa ibid.; see also HE 153/2006, General Justifications, 4 Effects of the Proposal. 

*8? More than any other recommendations, advice on policing the Internet would induce the biggest 
controversy and criticism, from organizations and groups such as the ACLU, ISPA, EFF, etc. 

The mission of the American Civil Liberties Union (ACLU) is to preserve freedom of speech, 
association and assembly, right to equal protection under the law, right to due process, and right to 
privacy. The Union is concerned about the issues including but not limited to anonymity on the web, 
Internet free speech, Internet privacy, Internet censorship, surveillance and wiretapping, and workplace 
privacy, etc. (see ACLU website, at http://www.aclu.org/). 

The Internet Service Providers’ Association (ISPA) strives for promoting competition, 
self-regulation and the development of the Internet industry, and concerns about the issues such as 
political monitoring, etc. (see ISPA website, at http://www.ispa.org.uk). 

The Electronic Frontier Foundation (EFF) fights for the right to free speech, as detailed as the 
right to blog anonymously, the right to keep sources confidential, the right to make fair use of 
intellectual property, the right to allow reader's comments without fear, the right to protect the servers 
from government seizure, the right to freely blog about elections, the right to blog about the workplace, 
and the right to access the media (see EFF website, at http://www.eff.org/br/). 

See also other organizations or groups, for example the Internet Free Expression Alliance (IFEA, 
at http://www.ifea.net/), the Digital Freedom Network (DEN, at http://www.1ia.org/dfn/), the Computer 
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(viii) Legislating on cybersecurity 

Consensus has not yet been reached on whether cyberspace should be regulated or 
deregulated. However, our discussion supports feasible and adequate regulation, without 
which law and order in cyberspace cannot be maintained. At present, the legal provisions on 
cybersecurity protection are scattered throughout criminal law, civil law, specific acts, 
regulations and decisions. It is necessary to implement a law specializing in cybersecurity 
protection, during which the lessons and experiences of various countries should be drawn 
upon to strengthen pertinence, systematism, and operability. The improved effectiveness of 
regulation and an increased severity in punishment would make it more costly to commit 
cybercrime, and discourage the potential criminals from taking the risk. 

(ix) Reinforcing judicial effectiveness 

The ICT promotes the effectiveness of all the social activities by making all the 
participants informed. Cybercrime emerges as a side-product of ICT, which can both 
strengthen and weaken the effectiveness of the law enforcement based on the traditional social 
environment. The central problem is that the atmosphere of free cyberspace has an extensive 
influence. When interception techniques are used in law enforcement, they usually induce 
disputes from different interest groups. The culture of security should be promoted by the 
adoption of relevant techniques by the law-enforcement agencies. 

(x) Cooperation of the public-private sectors 

Cybersecurity is a relative conception and mixed provision is more efficient. 
Cybersecurity should be primarily maintained by the private sector, assisted by the public 
sector, represented by law enforcement. Because of conflict of interests and limited capacity, 
neither public sector nor private sector can undertake the whole task of cybersecurity 
protection alone. The absence of public-private cooperation has been one of the critical 
problems in combating cybercrime (Syngress 2002, p. 2), lack of which just leaves loopholes 


in cybersecurity unfilled and exposes the vulnerabilities of information systems. 





Professionals for Social Responsibility (CPSR, at http://cpsr.org/home), the Electronic Privacy 
Information Centre (EPIC, at http://www.epic.org/), and the Centre for Democracy and Technology 
(CDT, http://www.cdt.org/cda.html). 
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International society has recognized the importance of cooperation in this field.**? Three 
modes of public-private cooperation should be considered: first, public-private partnership; 
second, public-supported private activities; and third privately-supported public activities. 
Previously, cooperation was usually organized by the public sector and participated in by the 
private sector. The authoritative power and administrative function of the public sector played 
an important role in inducing a broad participation of individuals and enterprises, providing 
some kinds of education, training, rules, and coordination. The growing interests and forces of 
the private sector require a strengthened role in providing cybersecurity independently, or 
interdependently with the public sector. 

(xi) International cooperation 

The international highway, railway and airway are limited to territory. The material 
existence of an information superhighway, however, only appears in sovereignties in the 
forms of cables and computers. The contents and activities of information systems are 
intangible, crossing locations distributed possibly anywhere along the “information 
superhighway.” The discussions in the previous chapters have offered abundant revelation 
that in the current greatly interconnected society, combating cybercrime necessitates global 
cooperative endeavours, which is required in cybersecurity protection at various levels, 
including raising international and national levels of security consciousness, harmonizing 
substantive legislations, filtering and intercepting trans-border information traffic, furthering 
the exchange of detained judicial information, mutual assistance in criminal investigation, 
extradition of criminals, and other necessary fields. McConnell International has (2000, p. 8) 
proposed a “model approach” to cover both international cooperation and private-public 
partnership to eradicate the legal vacuum. The “common criminal policy” as the Convention 
on Cybercrime furnishes can be seen as equivalent.*** A consistent framework of legal policy 
constitutes the foundation of any international cooperation. In international cooperation, this 
means the necessary coordinated national police actions in search and seizure of stored data, 
real time collection of traffic data, interception of content data, and so on as provided in the 


Convention on Cybercrime (Articles 19-21). 





383 Council of Europe, Preamble, Convention on Cybercrime, Budapest, 23 November 2001. 
384 +1. 
ibid. 
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The present world powers remain intolerant of differences between communities, 
countries, and cultures. Ours is a world without awaiting and communication before state 
violence and wars come into being. The failure of broader consensus and_ broader 
accommodation of the current international forum reminds the mutual proximity through 
international, intercultural and interrelated dialogue. The natural logic behind this world is 
that in a violent world, terrorism has been the excuse of endless wars (against the terrorists) 
and in information society, cyber terrorism will be the excuse of future wars (against the 
cyber terrorists). It seems that international cooperation in an equal and a tolerant platform is 
more than ever required. In the sense of money laundering, developed states, particularly 
those with a developed banking system, are legally doing far more than a poor country listed 


ape However, international 


as the core of world concern can implicitly or explicitly do. 
pressure is more than ever put on the poor country rather than its developed counterparts. 
Therefore, future international cooperation should be carried out in a more balanced way, an 
approach that should run through all efforts for combating cybercrime. 
(xi) Reinforcing the deterrence of punishment 

Penal measures are the final remedy for cybersecurity breaches. If criminals are left 
unpunished, they will have a greater incentive to repeat their activities and gaining even more 
pecuniary profit from them. Legal history has not witnessed any substitutive measures for 
punishments, even though the types of punishments change over time.**° The previous 
practice proves that deterrence of punishment has been greatly influenced by obstacles to law 
enforcement. The economic viewpoint on crime and justice argues that low probability of 
detection and inappropriate severity of punishment would minimize the overall deterrence 


(Becker 1968). In order to improve the deterrent effect of punishment, both investigation and 


conviction should be strengthened through a series of techniques and actions. Both national 





*8° For example, Myanmar is currently the only country listed by Financial Action Task Force on 
Money Laundering (TAFT) as Non-Cooperative Countries and Territories (NCCT) in the field of 
anti-money laundering. See TAFT web site, 23 June 2006. Retrieved 15 March 2007, from 
http://www. fatf-gafi.org/document/4/0,2340,en_32250379_32236992_33916420_1_1_1_1,00.html 

86 The most ancient punishments were characterised by physically exterminating or torturing 
criminals, including capital and corporal punishments, even though fine and imprisonment were 
similarly old. The later punishments became less bloody and less cruel, primarily depriving freedom 
and dignity. The latest tendency is that punishments indirectly related to the criminals’ life, health and 
freedom are broadly adopted, including fine, disqualification, community service, and probation. 
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oey Nevertheless, 


and international legal instruments have been constantly making such efforts. 
there are also factors hindering the extreme efforts to reduce the crime-rate simply by 
increasing investment for improving law enforcement. It would be prohibitively expensive to 
produce a few effects on crime rate reduction. Therefore, no better alternative is open than 
that of giving comprehensive consideration to the process of law enforcement in a detailed 
social context. 

(xiii) Establishing a victim compensation mechanism 

Cybercrime represents a way of transferring information, wealth, competitive power, and 
psychological satisfaction from victims to perpetrators. Most victims are usually those people 
with low risk-awareness and a low security level. Furthermore, the victims of cybercrime are 
generally reluctant to report crimes. They worry that public authorities cannot remedy past 
damage but can cause further losses by weakening public reputation and inducing future 
attacks. Victim compensation mechanisms increase the incentives of victims to report crimes 
and provide evidence, with the help of which they can recover part of losses. Because 
compensation imposes an extra financial burden on the perpetrators, it also creates incentives 
to discourage the potential criminals from compromising information systems. Ideally, the 
dual incentives thus created will decrease the number of cybercrimes. 

(xiv) Eliminating negative incentives in cybersecurity protection 

Cybersecurity involves many different interest groups who benefit from different 
activities. System developers attempt to reduce costs for improving the security of software. 
Computer users attempt to reduce their investment on security measures. Security service 
providers have the incentive to exaggerate the risks, dangers, number and losses of insecurity 
incidents. The mass media also have the incentive to attract more readers, audience, 
advertisers, and marketers. Even the police and professors have the possibility of benefiting 
from increased expenses on research and development, as was mentioned in Chapter 7 


Section 7.13. On the other hand, some individuals and institutions have an incentive to 





*87 For example, the Council of Europe Convention on Cybercrime, European Union Framework 


Decision on Attacks against Information System, HE 153/2006 of Finland, and so forth. The 
mechanisms include the acquiring and fixing of digital evidence, duty of witness, international 
information exchange, etc. 
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underestimate the genuine threat of cybercrime. Countermeasures must be taken to eliminate 
these incentives that distort truths and exploit these distorted truths of cybersecurity. 

(xv) Drawing out lessons from the experiences of traditional crime-prevention practice 

Although cybercrime has many characteristics different from traditional offences, it is a 
natural development of criminal phenomena, playing an interference opportunities brought 
about by information systems. The past lessons in failed efforts and experiences in successful 
endeavours have an organic relationship with current and future-policy design. In fields such 
as the deterrence of juvenile delinquency, international trafficking of human beings, drug 
control, and prevention of violence, the existing criminal-justice system proves constructive. 
The cybercrime scene is less violent, but there are still elements that can be addressed by 
ordinary methods, such as raising a law-abiding consciousness, by constructing an online 
community, and by the establishment of an information security culture. 

With all these measures, our intent is to increase the effectiveness of deterrence and to 
reduce the benefits of cybercrime, ensuring that the existing and potential perpetrators will be 
less satisfied. Mathematical methodology usually reduces crime prevention to some numerical 
indicators unreliably. Schweinhart, Barnes, and Weikart (1993) found that each dollar spent 
on crime prevention would ultimately save seven dollars (cited in Levinson 2002, p. 696). We 
could hardly anticipate that this kind of precise calculation of the preventive effect would 
ensure a constructive method for providing generalized policy recommendations. 
Mathematical or statistical methods are typically overused and misleading in contemporary 
social sciences. Although it is unreasonable to suppose that spending more money would 
reduce the losses caused by cybercrimes, or simply decrease the number of cybercrimes, 
measures against cybercrime will definitely involve more investment. Besides pecuniary 
involvement, many other aspects of social forces should in addition be taken into account to 
enforce the counter-cybercrime efforts. Thus, both money and staff will have to be dumped 
into this endless circulation of crime and anti-crime, or anti-social behaviour and 
anti-anti-social endeavour. While criminal phenomena are a comprehensive erodent to the 
economic society, the distinct measures undertaken against them must be integrated in order 
to deter intrigue against the prosecution of offences. In this way, the abandoned hope of 
society may be restored to it. Great challenges necessitate powerful commitment. 
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The long-term and sustainable actions are to be aimed at the reduction of factors 
benefiting the occurrence of cybercrime and the augmentation of factors benefiting the 
maintenance of cybersecurity. This necessitates a social-control model through a relatively 
open and decentralized legal system, overcoming the closed and centralized faults inherited 
from the tradition of legalism. Furthermore, law is reduced by information systems into a 
minor method of social control, from the starting-point where it was once the dominant 
method, or at least a parallel method to other social-control methods. There is hardly a legal 


superhighway that leads to the normalization of the information superhighway. 
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ABSTRACT 


Society is undergoing automization, digitalization, spread of information, and 
networking, brought about by the broad adoption of information and communications 
technology (ICT). Information systems create not only advantages, convenience and 
efficiency, but also disadvantages, challenges and threats. Legislation is usually not prompt 
nor adequate enough to address technology-oriented social problems. The potential abuse of 
information systems has long been uncontrollable. Cybercrime has a deeply negative 
influence on the development of an information society. 

Considering the routine-activity theory and the social disorganization theory, the 
dissertation explores the conceived challenges created by the development of an information 
technology confronting the traditional social-control system. The dissertation analyses the 
history, definition, characteristics, and classifications of cybercrime. It advocates a definition 
in a broad sense, in which it identifies characteristics of cybercrime and their negative 
influence on the probability of detection and effectiveness of deterrence. Current legal 
frameworks on cybercrime, either outdated or updated, either intra-national or international, 
are found ineffective in combating cybercrime. The key understanding of this dissertation is 
that, in order for the information society to be protected and the effectiveness of legal 
deterrence to be guaranteed, it is imperative to eliminate legal and jurisdictional gaps 
between countries, and between meat space and cyberspace so as to hold the criminal 
subjects liable. 
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